Malware Analysis Report

2024-10-19 06:32

Sample ID 240628-pll6jsyhpb
Target 78a7612603af19fb92d614af1e769f2a.exe
SHA256 73399ca48340bd7a31da27d573966f23371fe4ea82625ee3b7ce2772386b9e04
Tags
quasar newoffice spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73399ca48340bd7a31da27d573966f23371fe4ea82625ee3b7ce2772386b9e04

Threat Level: Known bad

The file 78a7612603af19fb92d614af1e769f2a.exe was found to be: Known bad.

Malicious Activity Summary

quasar newoffice spyware trojan

Quasar RAT

Quasar payload

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 12:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 12:25

Reported

2024-06-28 12:27

Platform

win7-20240419-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe

"C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe"

Network

Country Destination Domain Proto
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp

Files

memory/992-0-0x0000000000470000-0x0000000000795000-memory.dmp

memory/992-1-0x0000000000470000-0x0000000000795000-memory.dmp

memory/992-2-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/992-3-0x000000001BCC0000-0x000000001BFE4000-memory.dmp

memory/992-4-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/992-5-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/992-6-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/992-7-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/992-8-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/992-9-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/992-10-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 12:25

Reported

2024-06-28 12:27

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe

"C:\Users\Admin\AppData\Local\Temp\78a7612603af19fb92d614af1e769f2a.exe"

Network

Country Destination Domain Proto
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp
HK 117.18.7.76:3782 tcp

Files

memory/2544-0-0x00000169892A0000-0x00000169895C5000-memory.dmp

memory/2544-1-0x00000169892A0000-0x00000169895C5000-memory.dmp

memory/2544-2-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/2544-3-0x00000169A4020000-0x00000169A4344000-memory.dmp

memory/2544-4-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/2544-5-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/2544-6-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/2544-7-0x000001698B5D0000-0x000001698B620000-memory.dmp

memory/2544-8-0x00000169A3DB0000-0x00000169A3E62000-memory.dmp

memory/2544-9-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/2544-10-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/2544-11-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/2544-12-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp