Malware Analysis Report

2024-10-19 06:33

Sample ID 240528-s4ytvabg69
Target virussign.com_9599e82a8fa3a606c186e75e4d7d7100.vir
SHA256 f4dc1a032d33002bd859c3cad82dc31ffed0ce62c29fb899860a37b1d7dcfcbc
Tags
quasar persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4dc1a032d33002bd859c3cad82dc31ffed0ce62c29fb899860a37b1d7dcfcbc

Threat Level: Known bad

The file virussign.com_9599e82a8fa3a606c186e75e4d7d7100.vir was found to be: Known bad.

Malicious Activity Summary

quasar persistence spyware trojan

Quasar RAT

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 15:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 15:41

Reported

2024-05-28 15:44

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe"

Signatures

Quasar RAT

trojan spyware quasar

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe C:\Windows\system32\schtasks.exe
PID 2756 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe C:\Windows\system32\schtasks.exe
PID 2756 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe C:\Windows\system32\schtasks.exe
PID 2756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\System32\schtasks.exe
PID 2500 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\System32\schtasks.exe
PID 2500 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\System32\schtasks.exe
PID 840 wrote to memory of 928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 928 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 1580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 1580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 1580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 1348 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 1348 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 840 wrote to memory of 1348 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /sc MINUTE /MO 1

C:\Windows\system32\taskeng.exe

taskeng.exe {8742B83A-71C8-48D2-8CB7-9D735C84FDD7} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
N/A 10.1.10.103:82 tcp
N/A 10.1.10.103:82 tcp
N/A 10.1.10.103:82 tcp
N/A 10.1.10.103:82 tcp
N/A 10.1.10.103:82 tcp
N/A 10.1.10.103:82 tcp

Files

memory/2756-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2756-1-0x00000000013C0000-0x00000000013C8000-memory.dmp

memory/2756-2-0x0000000000DC0000-0x0000000000E5E000-memory.dmp

memory/2756-3-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 9599e82a8fa3a606c186e75e4d7d7100
SHA1 ea31dacbcba204026017a13e43f867c4cf0c4690
SHA256 f4dc1a032d33002bd859c3cad82dc31ffed0ce62c29fb899860a37b1d7dcfcbc
SHA512 126354727846d252d856ededee7aabb66442c0f29cb945735391f9a26657f1d682cdd0745672b5801cae039f8e13d573849b51ed2998b801976330df81d0194d

memory/2500-9-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/2500-10-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2500-11-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2756-12-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2500-14-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2500-16-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 15:41

Reported

2024-05-28 15:43

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe"

Signatures

Quasar RAT

trojan spyware quasar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quasar Client Startup = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\virussign.com_9599e82a8fa3a606c186e75e4d7d7100.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /sc MINUTE /MO 1

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.1.10.103:82 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 10.1.10.103:82 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 10.1.10.103:82 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
N/A 10.1.10.103:82 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
N/A 10.1.10.103:82 tcp
N/A 10.1.10.103:82 tcp

Files

memory/4740-0-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

memory/4740-1-0x00007FF8CC1D3000-0x00007FF8CC1D5000-memory.dmp

memory/4740-2-0x0000000002DC0000-0x0000000002E5E000-memory.dmp

memory/4740-3-0x00007FF8CC1D0000-0x00007FF8CCC91000-memory.dmp

memory/4740-4-0x000000001C2F0000-0x000000001C302000-memory.dmp

memory/4740-5-0x000000001C7D0000-0x000000001C80C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 9599e82a8fa3a606c186e75e4d7d7100
SHA1 ea31dacbcba204026017a13e43f867c4cf0c4690
SHA256 f4dc1a032d33002bd859c3cad82dc31ffed0ce62c29fb899860a37b1d7dcfcbc
SHA512 126354727846d252d856ededee7aabb66442c0f29cb945735391f9a26657f1d682cdd0745672b5801cae039f8e13d573849b51ed2998b801976330df81d0194d

memory/1400-12-0x00007FF8CC1D0000-0x00007FF8CCC91000-memory.dmp

memory/1400-14-0x00007FF8CC1D0000-0x00007FF8CCC91000-memory.dmp

memory/4740-13-0x00007FF8CC1D0000-0x00007FF8CCC91000-memory.dmp

memory/1400-16-0x00007FF8CC1D0000-0x00007FF8CCC91000-memory.dmp

memory/1400-17-0x00007FF8CC1D0000-0x00007FF8CCC91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 2362dcc9d262d0969898b143fb7fc91a
SHA1 2240860a675c86425f5702b501eac121bfb744eb
SHA256 4f7cff601d97caf1e0040bc2d63ccadd27294b2e551ff4167e0b080c69a915b0
SHA512 59cb7e53dc9cc02f25216cc87115403ed67fb5d24947ef2e803cd54e9f118d5d65a71817b05642c238ca48eb7bfd228d008d92e42023f2c15755c64c88f5b0d6