quasar | e22a3cb397fd7057647abdbbfe0aafbfd9a89347d87de1d8d25a7559c93bf78d

Analysis

max time kernel
14s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

802b87d9573ed818a874c623450d9eb3
SHA1

ffdedc0ed0a944ed2fca22618d9c6f5121be23e1
SHA256

e22a3cb397fd7057647abdbbfe0aafbfd9a89347d87de1d8d25a7559c93bf78d
SHA512

409e59688e6feb164359e6da07ef1f7a3fb0e0b272b4443b93bd72a0aca8360903013aa2ec7d54311289bb5cab1a76e0a524eb49d47baca2bfe32eee5a19af1a
SSDEEP

49152:nvZG42pda6D+/PjlLOlg6yQipVl4gZfD+N6YoGdsTHHB72eh2NT:nvI42pda6D+/PjlLOlZyQipVlxZa

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.129.198.185:4782

26.129.198.185:4783

192.168.100.213:4783

Mutex

1a2ca71f-65ef-446f-bdd5-6f5d396ece2f

Attributes

encryption_key
647827306D789C3A0BDAE423EB04375B6E1FDA36
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3244-1-0x0000000000D20000-0x0000000001044000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3352 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3216 schtasks.exe
2764 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exeClient.exe

description pid process

Token: SeDebugPrivilege 3244 Client-built.exe
Token: SeDebugPrivilege 3352 Client.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Client.exe

pid process

3352 Client.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client.exe

pid process

3352 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

3352 Client.exe

pid	process
3352	Client.exe

pid	process
3216	schtasks.exe
2764	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3244	Client-built.exe
Token: SeDebugPrivilege	3352	Client.exe

pid	process
3352	Client.exe

pid	process
3352	Client.exe

pid	process
3352	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Client-built.exeClient.exe

description	pid	process	target process
PID 3244 wrote to memory of 3216	3244	Client-built.exe	schtasks.exe
PID 3244 wrote to memory of 3216	3244	Client-built.exe	schtasks.exe
PID 3244 wrote to memory of 3352	3244	Client-built.exe	Client.exe
PID 3244 wrote to memory of 3352	3244	Client-built.exe	Client.exe
PID 3352 wrote to memory of 2764	3352	Client.exe	schtasks.exe
PID 3352 wrote to memory of 2764	3352	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
802b87d9573ed818a874c623450d9eb3

SHA1
ffdedc0ed0a944ed2fca22618d9c6f5121be23e1

SHA256
e22a3cb397fd7057647abdbbfe0aafbfd9a89347d87de1d8d25a7559c93bf78d

SHA512
409e59688e6feb164359e6da07ef1f7a3fb0e0b272b4443b93bd72a0aca8360903013aa2ec7d54311289bb5cab1a76e0a524eb49d47baca2bfe32eee5a19af1a

Download Submit
memory/3244-0-0x00007FFC7BF83000-0x00007FFC7BF85000-memory.dmp

Filesize
8KB

Download
memory/3244-1-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/3244-2-0x00007FFC7BF80000-0x00007FFC7CA41000-memory.dmp

Filesize
10.8MB

Download
memory/3244-8-0x00007FFC7BF80000-0x00007FFC7CA41000-memory.dmp

Filesize
10.8MB

Download
memory/3352-9-0x00007FFC7BF80000-0x00007FFC7CA41000-memory.dmp

Filesize
10.8MB

Download
memory/3352-10-0x00007FFC7BF80000-0x00007FFC7CA41000-memory.dmp

Filesize
10.8MB

Download
memory/3352-11-0x000000001C6D0000-0x000000001C720000-memory.dmp

Filesize
320KB

Download
memory/3352-12-0x000000001C7E0000-0x000000001C892000-memory.dmp

Filesize
712KB

Download