quasar | f80608ffcfae5dd4255704e7a65fca72882dce5b23d3fda13c11e560c4c45d20

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ss.exe
Size

3.1MB
MD5

e786c5e43fd18c2059613d5e7d490cde
SHA1

adef35755782160a2bb8977efbbcaa747a3e07cd
SHA256

f80608ffcfae5dd4255704e7a65fca72882dce5b23d3fda13c11e560c4c45d20
SHA512

09310d47dd39722042f9551a2eb21b3fec1f1a05123fa92164940a70466b7cfc1bd56a15ca7c90ebac01c8933da1cccc5dc889a0f91d476b0d214edfa211593f
SSDEEP

98304:3vJL26AaNeWgPhlmVqkQ7XSKJdRJ67n4:fH4SwK

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

bin-inspections.gl.at.ply.gg:64055

Mutex

536deaa9-57d2-448a-ae01-b604426d7fa6

Attributes

encryption_key
DBB529B3F56F6D23695F8D7AC9BA28484A0D6D0F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3012-1-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ss.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation ss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1752 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ss.exe

description pid process

Token: SeDebugPrivilege 3012 ss.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

ss.exe

pid process

3012 ss.exe
3012 ss.exe
3012 ss.exe
3012 ss.exe
3012 ss.exe
3012 ss.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

ss.exe

pid process

3012 ss.exe
3012 ss.exe
3012 ss.exe
3012 ss.exe
3012 ss.exe
3012 ss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ss.exe

pid	process
1752	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3012	ss.exe

pid	process
3012	ss.exe
3012	ss.exe
3012	ss.exe
3012	ss.exe
3012	ss.exe
3012	ss.exe

pid	process
3012	ss.exe
3012	ss.exe
3012	ss.exe
3012	ss.exe
3012	ss.exe
3012	ss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ss.execmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 4104	3012	ss.exe	cmd.exe
PID 3012 wrote to memory of 4104	3012	ss.exe	cmd.exe
PID 4104 wrote to memory of 3036	4104	cmd.exe	chcp.com
PID 4104 wrote to memory of 3036	4104	cmd.exe	chcp.com
PID 4104 wrote to memory of 1752	4104	cmd.exe	PING.EXE
PID 4104 wrote to memory of 1752	4104	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ss.exe
"C:\Users\Admin\AppData\Local\Temp\ss.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcKFjc0t785w.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3036

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GcKFjc0t785w.bat

Filesize
203B

MD5
a49b23be5f2e459d6c272c791212cc5e

SHA1
a2a79c249bcd697ebbf3410b2c4c3b5820dbeeea

SHA256
e186ff1a7b776774f0667677e69554f858f2838cee35095de61f166a0e96ae28

SHA512
d41d2a75e30d1d80645ba230f9a1840b62a317e9c4df11aac853203784faa5588a02498639e7c04c071eb7d637cbbbbef3813792eeef540700f43d80bf03f2d1

Download Submit
memory/3012-8-0x000000001BD10000-0x000000001BD4C000-memory.dmp

Filesize
240KB

Download
memory/3012-2-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-3-0x000000001BC60000-0x000000001BCB0000-memory.dmp

Filesize
320KB

Download
memory/3012-4-0x000000001BD70000-0x000000001BE22000-memory.dmp

Filesize
712KB

Download
memory/3012-7-0x000000001BCB0000-0x000000001BCC2000-memory.dmp

Filesize
72KB

Download
memory/3012-0-0x00007FFA34033000-0x00007FFA34035000-memory.dmp

Filesize
8KB

Download
memory/3012-10-0x00007FFA34033000-0x00007FFA34035000-memory.dmp

Filesize
8KB

Download
memory/3012-9-0x000000001C970000-0x000000001CB19000-memory.dmp

Filesize
1.7MB

Download
memory/3012-11-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-12-0x000000001C970000-0x000000001CB19000-memory.dmp

Filesize
1.7MB

Download
memory/3012-25-0x000000001C970000-0x000000001CB19000-memory.dmp

Filesize
1.7MB

Download
memory/3012-26-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-1-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download