quasar | 36e9de882ef9c44bf0b55c230ae42233a142f5d416c114221b6bc6db2eb8d9db

Analysis

max time kernel
1779s
max time network
1794s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

a5ec52e235b51b62737775708aa75b41
SHA1

2fb3d2b31ec5cc4f81d8000ab73e1c42e56d9696
SHA256

36e9de882ef9c44bf0b55c230ae42233a142f5d416c114221b6bc6db2eb8d9db
SHA512

c89a016cae8e27bbc080300834410e72c00279ea74004f52c1c82bb5293c3abdda0b0aa5634b3157cd88bc81acadeeb4e8114789d0dd292273a3d2871ba094dd
SSDEEP

49152:Wv+I22SsaNYfdPBldt698dBcjHR3DkE2HLk/+FMoGdECTHHB72eh2NT:Wvz22SsaNYfdPBldt6+dBcjHR3DMq0

Score

10^/10

quasar final spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

FINAL

192.168.1.3:4782

0.tcp.ap.ngrok.io:19777

Mutex

07349335-02d4-4e1c-9997-b1ec2161a0e1

Attributes

encryption_key
DE496BF144B8EBE8F8D89996CC77BEE88B0F6BCB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
GET FUCKED
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2760-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2560-8-0x0000000000B00000-0x0000000000E24000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2560 Client.exe

pid	process
2560	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs

Web Service

T1102

Processes:

flow	ioc
143	0.tcp.ap.ngrok.io
58	0.tcp.ap.ngrok.io
84	0.tcp.ap.ngrok.io
105	0.tcp.ap.ngrok.io
110	0.tcp.ap.ngrok.io
120	0.tcp.ap.ngrok.io
130	0.tcp.ap.ngrok.io
16	0.tcp.ap.ngrok.io
138	0.tcp.ap.ngrok.io
11	0.tcp.ap.ngrok.io
37	0.tcp.ap.ngrok.io
51	0.tcp.ap.ngrok.io
70	0.tcp.ap.ngrok.io
91	0.tcp.ap.ngrok.io
98	0.tcp.ap.ngrok.io
115	0.tcp.ap.ngrok.io
3	0.tcp.ap.ngrok.io
23	0.tcp.ap.ngrok.io
30	0.tcp.ap.ngrok.io
44	0.tcp.ap.ngrok.io
65	0.tcp.ap.ngrok.io
77	0.tcp.ap.ngrok.io
125	0.tcp.ap.ngrok.io
133	0.tcp.ap.ngrok.io

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exeClient.exe

description pid process

Token: SeDebugPrivilege 2760 Client-built.exe
Token: SeDebugPrivilege 2560 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2560 Client.exe

description	pid	process
Token: SeDebugPrivilege	2760	Client-built.exe
Token: SeDebugPrivilege	2560	Client.exe

pid	process
2560	Client.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Client-built.exe

description	pid	process	target process
PID 2760 wrote to memory of 2560	2760	Client-built.exe	Client.exe
PID 2760 wrote to memory of 2560	2760	Client-built.exe	Client.exe
PID 2760 wrote to memory of 2560	2760	Client-built.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
a5ec52e235b51b62737775708aa75b41

SHA1
2fb3d2b31ec5cc4f81d8000ab73e1c42e56d9696

SHA256
36e9de882ef9c44bf0b55c230ae42233a142f5d416c114221b6bc6db2eb8d9db

SHA512
c89a016cae8e27bbc080300834410e72c00279ea74004f52c1c82bb5293c3abdda0b0aa5634b3157cd88bc81acadeeb4e8114789d0dd292273a3d2871ba094dd

Download Submit
memory/2560-8-0x0000000000B00000-0x0000000000E24000-memory.dmp

Filesize
3.1MB

Download
memory/2560-9-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-10-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-11-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-12-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2760-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/2760-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-7-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download