quasar | eeddf97a4c02250bdff26feba1085ff30277d2f71054cd32e8796554fffb23e6

Analysis

max time kernel
10s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

286KB
MD5

4e47b6257fa7e2221df20e6d9f7fc47a
SHA1

7d6116a578f51d87cad1efe9e5971c412eb769a9
SHA256

eeddf97a4c02250bdff26feba1085ff30277d2f71054cd32e8796554fffb23e6
SHA512

6e5e3d2e865fa2c2d229c70f7a10a3821316b91b7daa66ecdfea9dcc7275d30da56f56a90eb64fdbe603e0aa50d5d797c40a4877e48ab0328a6d6ebc06ddd532
SSDEEP

6144:OhVZx2zU1Ypil1TQxqhzu4nkhdVwbjJ1ybkWrrpo:ExT1tY4Idc1ybkWho

Score

10^/10

quasar office spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
P2ctPN6uGReD4W1dEypm
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1204-1-0x00000000009E0000-0x0000000000A2E000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1664 Client.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1524 schtasks.exe
3292 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Loader.exeClient.exe

description pid process

Token: SeDebugPrivilege 1204 Loader.exe
Token: SeDebugPrivilege 1664 Client.exe

pid	process
1664	Client.exe

flow	ioc
5	ip-api.com

pid	process
1524	schtasks.exe
3292	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1204	Loader.exe
Token: SeDebugPrivilege	1664	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Loader.exeClient.exe

description	pid	process	target process
PID 1204 wrote to memory of 1524	1204	Loader.exe	schtasks.exe
PID 1204 wrote to memory of 1524	1204	Loader.exe	schtasks.exe
PID 1204 wrote to memory of 1524	1204	Loader.exe	schtasks.exe
PID 1204 wrote to memory of 1664	1204	Loader.exe	Client.exe
PID 1204 wrote to memory of 1664	1204	Loader.exe	Client.exe
PID 1204 wrote to memory of 1664	1204	Loader.exe	Client.exe
PID 1664 wrote to memory of 3292	1664	Client.exe	schtasks.exe
PID 1664 wrote to memory of 3292	1664	Client.exe	schtasks.exe
PID 1664 wrote to memory of 3292	1664	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1524

C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
Filesize
286KB

MD5
4e47b6257fa7e2221df20e6d9f7fc47a

SHA1
7d6116a578f51d87cad1efe9e5971c412eb769a9

SHA256
eeddf97a4c02250bdff26feba1085ff30277d2f71054cd32e8796554fffb23e6

SHA512
6e5e3d2e865fa2c2d229c70f7a10a3821316b91b7daa66ecdfea9dcc7275d30da56f56a90eb64fdbe603e0aa50d5d797c40a4877e48ab0328a6d6ebc06ddd532

Download Submit
memory/1204-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/1204-1-0x00000000009E0000-0x0000000000A2E000-memory.dmp

Filesize
312KB

Download
memory/1204-2-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/1204-3-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/1204-4-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1204-5-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/1204-6-0x0000000006140000-0x0000000006152000-memory.dmp

Filesize
72KB

Download
memory/1204-7-0x0000000006680000-0x00000000066BC000-memory.dmp

Filesize
240KB

Download
memory/1204-14-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1664-15-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1664-16-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download