quasar | 348d6ee5d14cba4dd47355c7c521bf085824359b0285fd0f769678dc8c4edcea

Analysis

max time kernel
17s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

b5477d01c6ec3a2e05153673c7cba24a
SHA1

0774e7fb2a94aa489185ae7047b5c810685ba12e
SHA256

348d6ee5d14cba4dd47355c7c521bf085824359b0285fd0f769678dc8c4edcea
SHA512

590948c3b4e32685a6d4bbb14017c145f061f15e28d3ba1f26ef0d14a01adf2ab029fa11ee4ab2881612084b34e63f30d49d8867dcb0a463a848b6c253f8e488
SSDEEP

49152:WvRt62XlaSFNWPjljiFa2RoUYIFeRJ6abR3LoGdZKTHHB72eh2NT:Wvb62XlaSFNWPjljiFXRoUYIFeRJ60

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.0.0.235:4782

Mutex

344dfdd6-fe74-48a9-967b-a3dfad856bcb

Attributes

encryption_key
131452D2A8537CACD85316B57C663E06ADAC8DE0
install_name
SvcHost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
conhost
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3040-1-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe	family_quasar
behavioral1/memory/3000-8-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

SvcHost.exe

pid process

3000 SvcHost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1276 schtasks.exe
2524 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exeSvcHost.exe

description pid process

Token: SeDebugPrivilege 3040 Client-built.exe
Token: SeDebugPrivilege 3000 SvcHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SvcHost.exe

pid process

3000 SvcHost.exe

pid	process
3000	SvcHost.exe

pid	process
1276	schtasks.exe
2524	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3040	Client-built.exe
Token: SeDebugPrivilege	3000	SvcHost.exe

pid	process
3000	SvcHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Client-built.exeSvcHost.exe

description	pid	process	target process
PID 3040 wrote to memory of 1276	3040	Client-built.exe	schtasks.exe
PID 3040 wrote to memory of 1276	3040	Client-built.exe	schtasks.exe
PID 3040 wrote to memory of 1276	3040	Client-built.exe	schtasks.exe
PID 3040 wrote to memory of 3000	3040	Client-built.exe	SvcHost.exe
PID 3040 wrote to memory of 3000	3040	Client-built.exe	SvcHost.exe
PID 3040 wrote to memory of 3000	3040	Client-built.exe	SvcHost.exe
PID 3000 wrote to memory of 2524	3000	SvcHost.exe	schtasks.exe
PID 3000 wrote to memory of 2524	3000	SvcHost.exe	schtasks.exe
PID 3000 wrote to memory of 2524	3000	SvcHost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1276

C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe

Filesize
3.1MB

MD5
b5477d01c6ec3a2e05153673c7cba24a

SHA1
0774e7fb2a94aa489185ae7047b5c810685ba12e

SHA256
348d6ee5d14cba4dd47355c7c521bf085824359b0285fd0f769678dc8c4edcea

SHA512
590948c3b4e32685a6d4bbb14017c145f061f15e28d3ba1f26ef0d14a01adf2ab029fa11ee4ab2881612084b34e63f30d49d8867dcb0a463a848b6c253f8e488

Download Submit
memory/3000-8-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/3000-11-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-10-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/3040-2-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-9-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download