quasar | c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

Analysis

max time kernel
131s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01/05/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe
Size

9.0MB
MD5

4921d7a6d49401873cff200a4f3d990d
SHA1

3d008d53e798505b858ff48574f3080210c56e27
SHA256

c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047
SHA512

9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4
SSDEEP

98304:F6D7RBxsErIVyJTk8LJ5i4J/OCV4HEZFrp:QRw08yJIC5uuT

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2428-16-0x0000000000A10000-0x0000000000D34000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
3540	msconfig.exe
3376	msconfig.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2404 set thread context of 2428	2404	csc.exe	90
PID 3540 set thread context of 2284	3540	msconfig.exe	99
PID 2284 set thread context of 4300	2284	csc.exe	107
PID 3376 set thread context of 2360	3376	msconfig.exe	116

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3032	schtasks.exe
2448	schtasks.exe
132	schtasks.exe
2352	schtasks.exe
1648	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	csc.exe
Token: SeDebugPrivilege	4300	csc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2428	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 2404	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	81
PID 2256 wrote to memory of 1408	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	82
PID 2256 wrote to memory of 1408	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	82
PID 2256 wrote to memory of 1408	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	82
PID 2256 wrote to memory of 3332	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	84
PID 2256 wrote to memory of 3332	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	84
PID 2256 wrote to memory of 3332	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	84
PID 3332 wrote to memory of 2448	3332	cmd.exe	86
PID 3332 wrote to memory of 2448	3332	cmd.exe	86
PID 3332 wrote to memory of 2448	3332	cmd.exe	86
PID 2256 wrote to memory of 1344	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	87
PID 2256 wrote to memory of 1344	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	87
PID 2256 wrote to memory of 1344	2256	c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe	87
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2428	2404	csc.exe	90
PID 2404 wrote to memory of 2132	2404	csc.exe	91
PID 2404 wrote to memory of 2132	2404	csc.exe	91
PID 2404 wrote to memory of 2132	2404	csc.exe	91
PID 2404 wrote to memory of 3640	2404	csc.exe	93
PID 2404 wrote to memory of 3640	2404	csc.exe	93
PID 2404 wrote to memory of 3640	2404	csc.exe	93
PID 3640 wrote to memory of 132	3640	cmd.exe	95
PID 3640 wrote to memory of 132	3640	cmd.exe	95
PID 3640 wrote to memory of 132	3640	cmd.exe	95
PID 2404 wrote to memory of 2248	2404	csc.exe	96
PID 2404 wrote to memory of 2248	2404	csc.exe	96
PID 2404 wrote to memory of 2248	2404	csc.exe	96
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 2284	3540	msconfig.exe	99
PID 3540 wrote to memory of 1388	3540	msconfig.exe	100
PID 3540 wrote to memory of 1388	3540	msconfig.exe	100
PID 3540 wrote to memory of 1388	3540	msconfig.exe	100
PID 3540 wrote to memory of 3584	3540	msconfig.exe	102
PID 3540 wrote to memory of 3584	3540	msconfig.exe	102
PID 3540 wrote to memory of 3584	3540	msconfig.exe	102
PID 3584 wrote to memory of 2352	3584	cmd.exe	104
PID 3584 wrote to memory of 2352	3584	cmd.exe	104
PID 3584 wrote to memory of 2352	3584	cmd.exe	104
PID 3540 wrote to memory of 4964	3540	msconfig.exe	105
PID 3540 wrote to memory of 4964	3540	msconfig.exe	105
PID 3540 wrote to memory of 4964	3540	msconfig.exe	105
PID 2284 wrote to memory of 4300	2284	csc.exe	107
PID 2284 wrote to memory of 4300	2284	csc.exe	107
PID 2284 wrote to memory of 4300	2284	csc.exe	107
PID 2284 wrote to memory of 4300	2284	csc.exe	107

C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe
"C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:132
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:1344

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
    3⤵
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:4964

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

Filesize
520B

MD5
197fd086992c5b5eb6157c9a3a975845

SHA1
0f91d80c561c3c9398dca480bccd2b97be7d3995

SHA256
3ed1b46e4594bb416a85f689348ecea7a74c7529a9997f116ada05d1430683c4

SHA512
2deb85a9ee1b4e99e9a3875ab6089da6fe7e6e502fc2eebf65e8c9de9e2fae79b07465f2c71b24739914952cd4d646b71ddca4adf602b4cafebff01e4a8a9ad2

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe

Filesize
9.0MB

MD5
4921d7a6d49401873cff200a4f3d990d

SHA1
3d008d53e798505b858ff48574f3080210c56e27

SHA256
c9d37a723484c763c7c25000eb11c7bb9cda571a8c2b7886f4610af6cd473047

SHA512
9bc506b0615f3e7ba18ed70c92bef4dff257aad5437f17670ba88d8aec1ce20b0b46f8c194918e2c0fa0fa0397ec0ef2f954801da09fbf211c8597936fc097c4

Download Submit
memory/2256-1-0x0000000000800000-0x000000000110E000-memory.dmp

Filesize
9.1MB

Download
memory/2256-2-0x0000000006160000-0x0000000006706000-memory.dmp

Filesize
5.6MB

Download
memory/2256-3-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2256-4-0x000000007439E000-0x000000007439F000-memory.dmp

Filesize
4KB

Download
memory/2256-5-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2256-0-0x000000007439E000-0x000000007439F000-memory.dmp

Filesize
4KB

Download
memory/2256-11-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2404-14-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2404-7-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2404-20-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2404-6-0x0000000000400000-0x000000000072A000-memory.dmp

Filesize
3.2MB

Download
memory/2428-16-0x0000000000A10000-0x0000000000D34000-memory.dmp

Filesize
3.1MB

Download
memory/2428-17-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/2428-19-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/2428-21-0x0000000006A90000-0x00000000070A8000-memory.dmp

Filesize
6.1MB

Download
memory/2428-22-0x0000000005C70000-0x0000000005CC0000-memory.dmp

Filesize
320KB

Download
memory/2428-23-0x0000000006690000-0x0000000006742000-memory.dmp

Filesize
712KB

Download
memory/2428-26-0x0000000007E30000-0x0000000007E42000-memory.dmp

Filesize
72KB

Download
memory/2428-27-0x0000000007E90000-0x0000000007ECC000-memory.dmp

Filesize
240KB

Download
memory/2428-28-0x0000000007F40000-0x0000000007FA6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads