Malware Analysis Report

2024-10-19 06:33

Sample ID 240527-3d63msfa74
Target New.exe
SHA256 d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234
Tags
quasar video spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234

Threat Level: Known bad

The file New.exe was found to be: Known bad.

Malicious Activity Summary

quasar video spyware trojan

Quasar RAT

Quasar payload

Quasar family

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 23:24

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 23:24

Reported

2024-05-27 23:30

Platform

win11-20240508-en

Max time kernel

152s

Max time network

282s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New.exe

"C:\Users\Admin\AppData\Local\Temp\New.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g3OO9N4StHzv.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
GB 20.26.156.215:443 github.com tcp

Files

memory/2060-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

memory/2060-1-0x0000000000060000-0x00000000000CC000-memory.dmp

memory/2060-2-0x0000000005050000-0x00000000055F6000-memory.dmp

memory/2060-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp

memory/2060-4-0x0000000074A20000-0x00000000751D1000-memory.dmp

memory/2060-5-0x0000000004C40000-0x0000000004CA6000-memory.dmp

memory/2060-6-0x0000000005000000-0x0000000005012000-memory.dmp

memory/2060-7-0x0000000005E10000-0x0000000005E4C000-memory.dmp

memory/2060-9-0x00000000062B0000-0x00000000062BA000-memory.dmp

memory/2060-10-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

memory/2060-11-0x0000000074A20000-0x00000000751D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g3OO9N4StHzv.bat

MD5 e8349913397f8c199d3308bd91d73a48
SHA1 4c7ede99d0fdc68b91684baa1adc48d9a48d63a8
SHA256 2bde23d1c027826051a4d339b5f6d77c4946d75dbf5743232b9da4e71dc6eacb
SHA512 02b292a5ed025b82e3c0452b1bebc457dc646323ddbae49c4090431714529f266caa95c2c0e0a2a2454b4ce2c87382dd287d7db92b9a4f011f965e4bdb07d784

memory/2060-17-0x0000000074A20000-0x00000000751D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-27-~1

MD5 137fe9ecaf2f1b3a99fe333396903e69
SHA1 ad9b1c7ccafdf7d562c5bf96d1780d52f5ec50fc
SHA256 3fc434987931fcbc33b4fe7daeda35b4b01782ddc6c9c55cf386c47a95116796
SHA512 44ce261c546b038ad9508b675c6a2bf5c741e91539b1f75b3c80b424d615afbd52c1a8f2689b1804f817a925114cf6ef22ff33f2754accabb2f2130f947b5a20

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 23:24

Reported

2024-05-27 23:30

Platform

win10-20240404-en

Max time kernel

204s

Max time network

258s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New.exe

"C:\Users\Admin\AppData\Local\Temp\New.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgwM2zrxANGR.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 runderscore00-25501.portmap.host udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/3400-0-0x000000007377E000-0x000000007377F000-memory.dmp

memory/3400-1-0x0000000000380000-0x00000000003EC000-memory.dmp

memory/3400-2-0x00000000051F0000-0x00000000056EE000-memory.dmp

memory/3400-3-0x0000000004CF0000-0x0000000004D82000-memory.dmp

memory/3400-4-0x0000000073770000-0x0000000073E5E000-memory.dmp

memory/3400-5-0x0000000004C40000-0x0000000004CA6000-memory.dmp

memory/3400-6-0x00000000051B0000-0x00000000051C2000-memory.dmp

memory/3400-7-0x0000000005CA0000-0x0000000005CDE000-memory.dmp

memory/3400-9-0x00000000063B0000-0x00000000063BA000-memory.dmp

memory/3400-10-0x000000007377E000-0x000000007377F000-memory.dmp

memory/3400-11-0x0000000073770000-0x0000000073E5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MgwM2zrxANGR.bat

MD5 38585015bae6ccd1870f77d5920cd964
SHA1 c72cbd4ea02278bbc1dc23f68c0ce335aa1e8f4d
SHA256 26eb79e356a4fdf17fa6dec6e3aafad3420bcb80e994080c315dca60ad02589f
SHA512 2c6f7d318dd9344ef85d6aadc13bd309f48cee78948cd9eabb52e21352acf0809887fbb8fcb255232d4f4ca14ef8ce992a5c6c1713a7c419346289d7e4554e0e

memory/3400-17-0x0000000073770000-0x0000000073E5E000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-27-~1

MD5 f0bc1bc6ba5a661b3361fe32ab1e4898
SHA1 573964e2caef11c58ab6c75b709246880645e002
SHA256 2ff72d3ac5ad5d7c70567e55105dadbc37300bbad0f4118cc994c9e46267f2f2
SHA512 dbd95df1b2d39bc33856aac48cafe5f2c7f1b48e8be25b21f0bec86e0cc5ab64b36c87cdfff948c2e097ec290898defda0a8221968752c137538289e5a6024cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 23:24

Reported

2024-05-27 23:30

Platform

win10v2004-20240508-en

Max time kernel

204s

Max time network

279s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New.exe

"C:\Users\Admin\AppData\Local\Temp\New.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sX8tIBvchmaV.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 runderscore00-25501.portmap.host udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp

Files

memory/1800-0-0x000000007470E000-0x000000007470F000-memory.dmp

memory/1800-1-0x0000000000F00000-0x0000000000F6C000-memory.dmp

memory/1800-2-0x0000000005E20000-0x00000000063C4000-memory.dmp

memory/1800-3-0x0000000005980000-0x0000000005A12000-memory.dmp

memory/1800-4-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/1800-5-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/1800-6-0x00000000067D0000-0x00000000067E2000-memory.dmp

memory/1800-7-0x0000000006D10000-0x0000000006D4C000-memory.dmp

memory/1800-9-0x00000000071D0000-0x00000000071DA000-memory.dmp

memory/1800-10-0x000000007470E000-0x000000007470F000-memory.dmp

memory/1800-11-0x0000000074700000-0x0000000074EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sX8tIBvchmaV.bat

MD5 bcd837a5c3a46e32daa119e4b886595b
SHA1 47966e4245a0a88f30d12c266242a6ac4857b8b9
SHA256 72741c50a095075cd5e4cd7e47f809fb9fb5f01ef1b06936cf2546df49209bcd
SHA512 a17c11c022a84404f3ee0357489ae01702fcf18a40078912d3212db1a5713f2223a413539c85aa84a94d91aabe8b2cc06079b0ba43c8c20c24d9f7f2593a8d99

memory/1800-17-0x0000000074700000-0x0000000074EB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-27-~1

MD5 1e1197daea125fef6f6ab43d7dab2529
SHA1 e8f5634b30a6f81085a06f5820dfc8f92185539d
SHA256 8f249049044e76a4337b42f5cad12350c5fa31889fea7688990979a0923ba017
SHA512 b2096d3702a018783f8495bb1cc54e058a9acc6309222b7b575a7edaf3746870029719b3fe9f1f0670c8c1b8ba348c7bc6ca671378a38523e20dcf146b976f9a