Malware Analysis Report

2024-08-06 11:24

Sample ID 240615-e7kvhasgql
Target server.exe
SHA256 5800caf82a36637733bfcbf94ff7d84a94b9aed9219e379f8a7fd0fdb9ba2f65
Tags
quasar @123 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5800caf82a36637733bfcbf94ff7d84a94b9aed9219e379f8a7fd0fdb9ba2f65

Threat Level: Known bad

The file server.exe was found to be: Known bad.

Malicious Activity Summary

quasar @123 spyware trojan

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 04:34

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 04:34

Reported

2024-06-15 04:37

Platform

win11-20240508-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 4288 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1196 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1196 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1196 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1196 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1196 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3492 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 3492 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2904 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2904 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2904 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2904 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2904 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1620 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2784 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2784 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2784 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2784 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2784 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4236 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1092 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1092 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1092 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1092 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1092 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4656 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 4656 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2180 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2180 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2180 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2180 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2180 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1944 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 1824 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1824 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1824 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1824 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1824 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1824 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3180 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 720 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 720 wrote to memory of 4072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 720 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 720 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wrr28RXegIfd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIGLmipQcGa1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sB94YRkaCAzb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JjitCF1wQiDF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cwhqui4oFn7x.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FnDPfQMKWaF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iK8BlHZM1Xcf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp

Files

memory/4288-0-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

memory/4288-1-0x00000000009D0000-0x0000000000CF4000-memory.dmp

memory/4288-2-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/4288-3-0x000000001BE10000-0x000000001BE60000-memory.dmp

memory/4288-4-0x000000001BF20000-0x000000001BFD2000-memory.dmp

memory/4288-9-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wrr28RXegIfd.bat

MD5 aae5f3e695612b5d2515194682550ed4
SHA1 2206ed2000b634463905ef7f7c09f137b0e9f229
SHA256 921f045f29434210baa178b8a24944a5c13e4a3b097f35974f8ef439aa82cf99
SHA512 941bb03f7afb735d653ef014ef1e8c433ca211c6979c64b6056a6c0b0a4d4c66f45e945d65cfcc4f89497bdeb5027f67914e06506460dd0883224943afe5fbad

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\server.exe.log

MD5 15eab799098760706ed95d314e75449d
SHA1 273fb07e40148d5c267ca53f958c5075d24c4444
SHA256 45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA512 50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

memory/3492-12-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/3492-16-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CIGLmipQcGa1.bat

MD5 68709e6889e362ff7b6ff5bf13f8546f
SHA1 9b1ef1b8203a46fcac2fcf94110d6fe2535dd9bf
SHA256 417f0f640ad1a7056ad76cee43bb4ef4a4dc845d1d12d6493a7da48d4534411d
SHA512 7e21d5acd4ab43d14c15c4c590398c7b278fd6c4008671cc862083f107199a494f9b3b09e83e722c3c55ea9c354ed13869dcd7d31f8c17d589e7c4adc57f1911

C:\Users\Admin\AppData\Local\Temp\sB94YRkaCAzb.bat

MD5 f7c8974ce1b8e7e0097a74e08c134b0e
SHA1 be678ab8a05cc65fea14a6e8dc60d62737cdc78d
SHA256 8db1ceb78c30cb6301a14405e37480cfde364aeb59555fa878930b1e8d66a359
SHA512 a220f0807610e6734af2dc5ab1df183d0d70a088bb4d6c246d5af2020e60c8c161f20c412ed69c0fdd77473db76d5227e2286846923a147d52b060cc6cc7d4a5

C:\Users\Admin\AppData\Local\Temp\JjitCF1wQiDF.bat

MD5 065ab646749059e3f55d0fc28cf35eba
SHA1 a5e9db99cf1a1ef0e0fbff348e8cd000fe6c91c0
SHA256 bd0f0fac8f51da26dcf2fb923945099927fe88580bf43445bffeb335ca6f678f
SHA512 24408fa648a523f2cebbb14615653e93482697f1c5dda1b8b351e7dbca7b658a27417080c483a0866541818c9c11396ede7e96362de53941332e14eeda5d362a

C:\Users\Admin\AppData\Local\Temp\Cwhqui4oFn7x.bat

MD5 c79dcce7481e05aa16cbb68c290a746c
SHA1 e287648be036630f7de8a81af56b5a128a21767e
SHA256 ebd87722da3dceb5f4bf36fd175517ddb86dcb40e06deb1dfd7256049f36efe3
SHA512 26668ad055cac1a5ff889fb3c226395dedcc084abfffe6c375d892ef25a3505904a54f3a45087e5ac7e941d4d86ffc19f9938d5911a7cbe99283ddb294870475

C:\Users\Admin\AppData\Local\Temp\4FnDPfQMKWaF.bat

MD5 8ffe60ca6e140394cb71a44b54253fd2
SHA1 3a80e45ac587c3cf5ffd74cd054269efb28e5d19
SHA256 45ad178eaaf2559ba936569af4b7ba94e1958f925cb4ee5ae2a733aad06762f3
SHA512 e399af016aaa63a85cedd2e1391abb95365f76dd03f745f2222178d6e36e3c56d3766698ba5db663d9420e05da8d03fb405613942cfdd9a3e608119320f1390a

C:\Users\Admin\AppData\Local\Temp\iK8BlHZM1Xcf.bat

MD5 210c528b63b93b706d2d94d75cbfea3c
SHA1 7076bf0a835034c5fc744956d6ff1e06e1d6e033
SHA256 0f6ea0caf7e8bf15cf049dec4163b8785b20b061c6e2f67b03e6b38eb63dfdbb
SHA512 2142ed898083cec410bf673506c5d85018eb657b91a47b94b0cf3f8699f9b321958189e302b369804fa2b46a2d8a151b7f6c592cffdb5dc380d305f46505364c

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 04:34

Reported

2024-06-15 04:37

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 4904 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1712 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1712 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1712 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E8PmdBltaGRX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 147.185.221.20:21734 mother-amanda.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/4904-0-0x00007FF97EED3000-0x00007FF97EED4000-memory.dmp

memory/4904-1-0x0000000000B20000-0x0000000000E44000-memory.dmp

memory/4904-2-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

memory/4904-3-0x000000001BE90000-0x000000001BEE0000-memory.dmp

memory/4904-4-0x000000001BFA0000-0x000000001C052000-memory.dmp

memory/4904-7-0x000000001BF10000-0x000000001BF22000-memory.dmp

memory/4904-8-0x000000001CC90000-0x000000001CCCE000-memory.dmp

memory/4904-9-0x00007FF97EED3000-0x00007FF97EED4000-memory.dmp

memory/4904-14-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8PmdBltaGRX.bat

MD5 f0a9db22d5bac84edf157bf28b450225
SHA1 828ecc52aa284dff1db9fb8782555c663b4875e5
SHA256 c3319d32543a7d2bad1a0d855a6e68dbccb30dee5c426c168ddfaae6758a9edc
SHA512 a1d1523a4eff16e85bf76340d77a7a7fb6d81d5b94aa5da63ccbecbc265e1984752f2ee16e7dd52206b2e2dd4e8aec3e17c0ad0bc30af667f709c4df9ec265f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 04:34

Reported

2024-06-15 04:37

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1304 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1304 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1304 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r00dXrM9WAsA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 mother-amanda.gl.at.ply.gg udp
US 147.185.221.20:21734 mother-amanda.gl.at.ply.gg tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/2332-0-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

memory/2332-1-0x0000000000540000-0x0000000000864000-memory.dmp

memory/2332-2-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/2332-3-0x0000000002C00000-0x0000000002C50000-memory.dmp

memory/2332-4-0x000000001BA90000-0x000000001BB42000-memory.dmp

memory/2332-7-0x000000001B590000-0x000000001B5A2000-memory.dmp

memory/2332-8-0x000000001BA10000-0x000000001BA4C000-memory.dmp

memory/2332-9-0x000000001C690000-0x000000001C792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r00dXrM9WAsA.bat

MD5 2dae0159d976dbe53d985e792aabf187
SHA1 75961d167da3e312ff1958a5424b944e6aebb8e0
SHA256 728a0cf0154c9e1dc5b2675ae18ed9a7648db583f36de50b96e8d39071996eed
SHA512 c5bf59e5d41dd8c61618e803bff0450941f120d2494f5d04c3d2ca7ffee3d7fe15087f0b0a06f8fe75aba230714e4667214bfa42abdd4e677cb396cdf2825e42

memory/2332-15-0x000000001C690000-0x000000001C792000-memory.dmp

memory/2332-16-0x00007FFA36590000-0x00007FFA37051000-memory.dmp