Malware Analysis Report

2024-08-06 11:30

Sample ID 240612-gq169sselb
Target ImageLoggerBuilder2.0.exe
SHA256 bf14edf87a349754e8499a8d62ccb7a3e3c4d2dd9670bbff873da64c4a5b6c94
Tags
hehe quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf14edf87a349754e8499a8d62ccb7a3e3c4d2dd9670bbff873da64c4a5b6c94

Threat Level: Known bad

The file ImageLoggerBuilder2.0.exe was found to be: Known bad.

Malicious Activity Summary

hehe quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs ping.exe

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 06:01

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 06:01

Reported

2024-06-12 06:02

Platform

win11-20240508-en

Max time kernel

26s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4048 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4048 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe
PID 4048 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe
PID 820 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\SYSTEM32\schtasks.exe
PID 820 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\SYSTEM32\schtasks.exe
PID 820 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4564 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4564 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4564 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4564 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe
PID 4564 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe
PID 4700 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4700 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4700 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1364 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1364 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1364 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1364 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe
PID 1364 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe
PID 3088 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3088 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3088 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\system32\cmd.exe
PID 3088 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe C:\Windows\system32\cmd.exe
PID 4228 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4228 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4228 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4228 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ImageLoggerBuilder2.0.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe

"C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O0H7Dq3JXw1r.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe

"C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QTJiSY8PNUyp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe

"C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qM0tj9zRLqAL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
GB 104.86.110.107:443 tcp
GB 104.86.110.107:443 tcp
GB 104.86.110.107:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 104.86.110.112:443 tcp

Files

memory/4048-0-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmp

memory/4048-1-0x0000000000F60000-0x0000000000FE4000-memory.dmp

memory/4048-2-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\ImageLogger11.exe

MD5 2231da4dd03ea8cc9fddbf3c1a3878f6
SHA1 f79ab1952634a33ca4461dd417023f7e6464ab91
SHA256 bf14edf87a349754e8499a8d62ccb7a3e3c4d2dd9670bbff873da64c4a5b6c94
SHA512 0ee5f632b5dd1b87296a7cf0e39de239c9076b4c8a7fcdfb6bb72f16d1567255dd61b5ae7c4dbe213c02ee6642bfee8495d39f780b505f575e9b5ad45a3e05e8

memory/4048-8-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

memory/820-9-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

memory/820-10-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

memory/820-11-0x000000001BAC0000-0x000000001BB10000-memory.dmp

memory/820-12-0x000000001BBD0000-0x000000001BC82000-memory.dmp

memory/820-17-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\O0H7Dq3JXw1r.bat

MD5 f13f3c517549f5753683d924867577d7
SHA1 59af7b1722dde850f21a998d1f7b2de7e022061c
SHA256 1075c968b14bf9a25317fa274124ca54f52c3918cabbe98df66c82db2d8c95c3
SHA512 cb00d24a7c4c11f94446c79497c9cbaf6d8a2eda0ca8a199176aca2a733d39d64491e9595113b17bf2d586e68bc186bcf9ab626b8b8b43ff6e3d09aedd8748e1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ImageLogger11.exe.log

MD5 15eab799098760706ed95d314e75449d
SHA1 273fb07e40148d5c267ca53f958c5075d24c4444
SHA256 45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA512 50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

C:\Users\Admin\AppData\Local\Temp\QTJiSY8PNUyp.bat

MD5 e38ade5024af3d734e69a1d99a4b8411
SHA1 b83a7aa9dc51719794421a741992a176decc4ee6
SHA256 f26abbb1ac6cd012dce7064f1f984ed5e0a14c605fcca62514fe5f230aef3a83
SHA512 8c81bd62639a3cc1c16f6beba91e786bc55e35d7a1deca56a5aeb02198a08b74d2ba62f38d98abb0989ad7fb10f4d4b760d84e1fff3f66ee8c02aea46559da85

C:\Users\Admin\AppData\Local\Temp\qM0tj9zRLqAL.bat

MD5 91eac4017b5dc6bb0ad846f5d4ef9eec
SHA1 6872d663ad984656705da4b434c0be9d9370be8e
SHA256 e74f22b7c9004468b109594427156f0377fff6b4e00052a249f639c04e10ab40
SHA512 c670f2a7d23703a4b5cbefed75d91ef95cc854aa455554a5c22dd69dc57c73adfcf0fe4b9c2624185030c7ace92cb1d0e010834ec06837a8c46cb6ba2d6bfc81