quasar | 55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d

Analysis

max time kernel
136s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dishkum Tena.exe
Size

3.1MB
MD5

36970784c3736c71546d73e0773ee956
SHA1

2d09c257a3e09b079d23520400953bafc495e06e
SHA256

55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d
SHA512

6f0fd26eb7f2b64c875f7021f82ddf8240beaba804a6649404ac8e33115d1372dc53cae94e242b1a77a4bf86f4836bc072b9e64563204b591d03357d3c82be2c
SSDEEP

49152:Gvht62XlaSFNWPjljiFa2RoUYI1C91JgLoGd9hTHHB72eh2NT:GvL62XlaSFNWPjljiFXRoUYI1CE

Score

10^/10

quasar dani69 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Dani69

192.168.1.2:4782

Mutex

9f26ad88-50ee-4f62-81ff-c770a798a67c

Attributes

encryption_key
81B07382BFEB227CBA1AE8701042E7A26708E9ED
install_name
Dani69.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Dani69
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4172-1-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Dani69.exe

pid process

4532 Dani69.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1056 schtasks.exe
4528 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Dishkum Tena.exeDani69.exe

description pid process

Token: SeDebugPrivilege 4172 Dishkum Tena.exe
Token: SeDebugPrivilege 4532 Dani69.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Dani69.exe

pid process

4532 Dani69.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Dani69.exe

pid process

4532 Dani69.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Dani69.exe

pid process

4532 Dani69.exe

pid	process
4532	Dani69.exe

pid	process
1056	schtasks.exe
4528	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4172	Dishkum Tena.exe
Token: SeDebugPrivilege	4532	Dani69.exe

pid	process
4532	Dani69.exe

pid	process
4532	Dani69.exe

pid	process
4532	Dani69.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Dishkum Tena.exeDani69.exe

description	pid	process	target process
PID 4172 wrote to memory of 1056	4172	Dishkum Tena.exe	schtasks.exe
PID 4172 wrote to memory of 1056	4172	Dishkum Tena.exe	schtasks.exe
PID 4172 wrote to memory of 4532	4172	Dishkum Tena.exe	Dani69.exe
PID 4172 wrote to memory of 4532	4172	Dishkum Tena.exe	Dani69.exe
PID 4532 wrote to memory of 4528	4532	Dani69.exe	schtasks.exe
PID 4532 wrote to memory of 4528	4532	Dani69.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Dishkum Tena.exe
"C:\Users\Admin\AppData\Local\Temp\Dishkum Tena.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Dani69" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1056

C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Dani69" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe
Filesize
3.1MB

MD5
36970784c3736c71546d73e0773ee956

SHA1
2d09c257a3e09b079d23520400953bafc495e06e

SHA256
55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d

SHA512
6f0fd26eb7f2b64c875f7021f82ddf8240beaba804a6649404ac8e33115d1372dc53cae94e242b1a77a4bf86f4836bc072b9e64563204b591d03357d3c82be2c

Download Submit
memory/4172-0-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp

Filesize
8KB

Download
memory/4172-1-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download
memory/4172-2-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-10-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-9-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-11-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-12-0x000000001BD50000-0x000000001BDA0000-memory.dmp

Filesize
320KB

Download
memory/4532-13-0x000000001BE60000-0x000000001BF12000-memory.dmp

Filesize
712KB

Download
memory/4532-14-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Filesize
10.8MB

Download