quasar | 08f02ffe7eeff88badfd144cf74b3b3fbd7319b1c31f6f72b7aeda5613020bbc

Analysis

max time kernel
22s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 16:47

Target

Client.exe
Size

3.1MB
MD5

f4d2c8d8d68a3498b8c35174f5f30aa8
SHA1

c0122df8b964874689ef0b22846719af39c02713
SHA256

08f02ffe7eeff88badfd144cf74b3b3fbd7319b1c31f6f72b7aeda5613020bbc
SHA512

14bbc1dfda168567392cac4311279ea9271d531f143fe5e5c015d509829dff4312ea45b413111a507f0f1baa8037ec6c98a0be09a38dd6f5f22e90768fb3ae8b
SSDEEP

49152:agwNiXIBaIGNydScbKPLhtJ6IX2cCDXsch9HHBE2VhGNT:Hci4BjScb+FtoIX2R

Score

10^/10

Family

quasar

Attributes

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-1-0x00000000009E0000-0x0000000000D08000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Client.exe

description pid process target process

PID 2112 created 2656 2112 Client.exe TrustedInstaller.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20240513164801.cab makecab.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Client.exe

pid process

2112 Client.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client.exe

description pid process

Token: SeDebugPrivilege 2112 Client.exe

description	pid	process	target process
PID 2112 created 2656	2112	Client.exe	TrustedInstaller.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20240513164801.cab	makecab.exe

pid	process
2112	Client.exe

description	pid	process
Token: SeDebugPrivilege	2112	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Client.exeClient.exe

description	pid	process	target process
PID 2112 wrote to memory of 2568	2112	Client.exe	Client.exe
PID 2112 wrote to memory of 2568	2112	Client.exe	Client.exe
PID 2112 wrote to memory of 2568	2112	Client.exe	Client.exe
PID 2568 wrote to memory of 3044	2568	Client.exe	WerFault.exe
PID 2568 wrote to memory of 3044	2568	Client.exe	WerFault.exe
PID 2568 wrote to memory of 3044	2568	Client.exe	WerFault.exe

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2656

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240513164801.log C:\Windows\Logs\CBS\CbsPersist_20240513164801.cab
2⤵
- Drops file in Windows directory
PID:2700

C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2568 -s 68
3⤵
PID:3044

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:860

memory/2112-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2112-1-0x00000000009E0000-0x0000000000D08000-memory.dmp

Filesize
3.2MB

Download