quasar | c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe
Size

9.0MB
MD5

4921d7a6d49401873cff200a4f3d990d
SHA1

3d008d53e798505b858ff48574f3080210c56e27
SHA256

c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047
SHA512

9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4
SSDEEP

98304:F6D7RBxsErIVyJTk8LJ5i4J/OCV4HEZFrp:QRw08yJIC5uuT

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/3100-17-0x0000000000690000-0x00000000009B4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
392	msconfig.exe
1536	msconfig.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 3552 set thread context of 3100	3552	csc.exe	110
PID 392 set thread context of 1280	392	msconfig.exe	123
PID 1280 set thread context of 3472	1280	csc.exe	136
PID 1536 set thread context of 2168	1536	msconfig.exe	148

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4624	schtasks.exe
4240	schtasks.exe
816	schtasks.exe
4512	schtasks.exe
2460	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	csc.exe
Token: SeDebugPrivilege	3472	csc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3100	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3552	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	100
PID 748 wrote to memory of 3124	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	101
PID 748 wrote to memory of 3124	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	101
PID 748 wrote to memory of 3124	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	101
PID 748 wrote to memory of 4636	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	103
PID 748 wrote to memory of 4636	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	103
PID 748 wrote to memory of 4636	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	103
PID 4636 wrote to memory of 816	4636	cmd.exe	105
PID 4636 wrote to memory of 816	4636	cmd.exe	105
PID 4636 wrote to memory of 816	4636	cmd.exe	105
PID 748 wrote to memory of 1992	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	106
PID 748 wrote to memory of 1992	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	106
PID 748 wrote to memory of 1992	748	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	106
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 3100	3552	csc.exe	110
PID 3552 wrote to memory of 1340	3552	csc.exe	111
PID 3552 wrote to memory of 1340	3552	csc.exe	111
PID 3552 wrote to memory of 1340	3552	csc.exe	111
PID 3552 wrote to memory of 2880	3552	csc.exe	113
PID 3552 wrote to memory of 2880	3552	csc.exe	113
PID 3552 wrote to memory of 2880	3552	csc.exe	113
PID 2880 wrote to memory of 4512	2880	cmd.exe	115
PID 2880 wrote to memory of 4512	2880	cmd.exe	115
PID 2880 wrote to memory of 4512	2880	cmd.exe	115
PID 3552 wrote to memory of 2952	3552	csc.exe	116
PID 3552 wrote to memory of 2952	3552	csc.exe	116
PID 3552 wrote to memory of 2952	3552	csc.exe	116
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 1280	392	msconfig.exe	123
PID 392 wrote to memory of 2272	392	msconfig.exe	124
PID 392 wrote to memory of 2272	392	msconfig.exe	124
PID 392 wrote to memory of 2272	392	msconfig.exe	124
PID 392 wrote to memory of 1436	392	msconfig.exe	126
PID 392 wrote to memory of 1436	392	msconfig.exe	126
PID 392 wrote to memory of 1436	392	msconfig.exe	126
PID 1436 wrote to memory of 2460	1436	cmd.exe	128
PID 1436 wrote to memory of 2460	1436	cmd.exe	128
PID 1436 wrote to memory of 2460	1436	cmd.exe	128
PID 392 wrote to memory of 3436	392	msconfig.exe	129
PID 392 wrote to memory of 3436	392	msconfig.exe	129
PID 392 wrote to memory of 3436	392	msconfig.exe	129
PID 1280 wrote to memory of 3472	1280	csc.exe	136
PID 1280 wrote to memory of 3472	1280	csc.exe	136
PID 1280 wrote to memory of 3472	1280	csc.exe	136
PID 1280 wrote to memory of 3472	1280	csc.exe	136

C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe
"C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:3124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:1992

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:3436

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe

Filesize
9.0MB

MD5
4921d7a6d49401873cff200a4f3d990d

SHA1
3d008d53e798505b858ff48574f3080210c56e27

SHA256
c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

SHA512
9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4

Download Submit
memory/748-1-0x0000000000B80000-0x000000000148E000-memory.dmp

Filesize
9.1MB

Download
memory/748-2-0x0000000006430000-0x00000000069D4000-memory.dmp

Filesize
5.6MB

Download
memory/748-3-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/748-4-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/748-5-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/748-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/748-13-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-34-0x0000000000710000-0x0000000000730000-memory.dmp

Filesize
128KB

Download
memory/3100-24-0x0000000006250000-0x0000000006302000-memory.dmp

Filesize
712KB

Download
memory/3100-26-0x0000000007A00000-0x0000000007A3C000-memory.dmp

Filesize
240KB

Download
memory/3100-17-0x0000000000690000-0x00000000009B4000-memory.dmp

Filesize
3.1MB

Download
memory/3100-18-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3100-27-0x0000000007AB0000-0x0000000007B16000-memory.dmp

Filesize
408KB

Download
memory/3100-21-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/3100-22-0x00000000064E0000-0x0000000006AF8000-memory.dmp

Filesize
6.1MB

Download
memory/3100-23-0x0000000005FE0000-0x0000000006030000-memory.dmp

Filesize
320KB

Download
memory/3100-25-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/3552-9-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-16-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-20-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-8-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3552-7-0x0000000000850000-0x0000000000B7A000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads