Malware Analysis Report

2024-10-23 19:04

Sample ID 240629-b93asa1fml
Target e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe
SHA256 e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0
Tags
quasar hotels spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0

Threat Level: Known bad

The file e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe was found to be: Known bad.

Malicious Activity Summary

quasar hotels spyware trojan

Detects file containing reversed ASEP Autorun registry keys

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Detects executables embedding command execution via IExecuteCommand COM object

Quasar RAT

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Quasar family

Quasar payload

Detects Windows executables referencing non-Windows User-Agents

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables containing URLs to raw contents of a Github gist

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Detects executables embedding command execution via IExecuteCommand COM object

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing URLs to raw contents of a Github gist

Detects file containing reversed ASEP Autorun registry keys

Looks up external IP address via web service

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 01:51

Signatures

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding command execution via IExecuteCommand COM object

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:54

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding command execution via IExecuteCommand COM object

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe

"C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 45.40.96.164:5552 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 164.96.40.45.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/668-0-0x000000007482E000-0x000000007482F000-memory.dmp

memory/668-1-0x0000000000F90000-0x000000000107C000-memory.dmp

memory/668-2-0x0000000005FB0000-0x0000000006554000-memory.dmp

memory/668-3-0x0000000005AA0000-0x0000000005B32000-memory.dmp

memory/668-4-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/668-5-0x0000000005B40000-0x0000000005BA6000-memory.dmp

memory/668-6-0x00000000068A0000-0x00000000068B2000-memory.dmp

memory/668-7-0x0000000006DE0000-0x0000000006E1C000-memory.dmp

memory/668-8-0x0000000007520000-0x000000000752A000-memory.dmp

memory/668-9-0x000000007482E000-0x000000007482F000-memory.dmp

memory/668-10-0x0000000074820000-0x0000000074FD0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:54

Platform

win7-20240220-en

Max time kernel

118s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding command execution via IExecuteCommand COM object

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe

"C:\Users\Admin\AppData\Local\Temp\e2cc914a1df535f2cf88007a518a9990afe5ccdb9cf1262e550e2ce8cc9c7eb0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 45.40.96.164:5552 tcp

Files

memory/2908-0-0x000000007405E000-0x000000007405F000-memory.dmp

memory/2908-1-0x0000000001020000-0x000000000110C000-memory.dmp

memory/2908-2-0x0000000074050000-0x000000007473E000-memory.dmp

memory/2908-3-0x000000007405E000-0x000000007405F000-memory.dmp

memory/2908-4-0x0000000074050000-0x000000007473E000-memory.dmp