Malware Analysis Report

2024-10-19 08:35

Sample ID 240801-cg372s1ajg
Target BootstrapperV1.11.exe
SHA256 dd37983f893fe6aec0c2721e910896122de0549306fbc60277c3adf8a991bd0c
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd37983f893fe6aec0c2721e910896122de0549306fbc60277c3adf8a991bd0c

Threat Level: Known bad

The file BootstrapperV1.11.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 02:03

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 02:03

Reported

2024-08-01 02:06

Platform

win7-20240705-en

Max time kernel

149s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe

"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp

Files

memory/2720-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

memory/2720-1-0x00000000013D0000-0x00000000016F4000-memory.dmp

memory/2720-2-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 f9da53f4f072c15dbf78b015a10575a2
SHA1 96ea78662e9f44d6b4dcbbdc05bb4026188697ff
SHA256 dd37983f893fe6aec0c2721e910896122de0549306fbc60277c3adf8a991bd0c
SHA512 be39c735e3aa3a361b3ad2fd766182df0fa2dabbb50c3793f8d92d3c5ee1243d0111e2b40f47a2a68ab0a4e107bb50e411281b6d91fb4a17d0dfb8dd761dfa6f

memory/2720-7-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

memory/2700-9-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

memory/2700-8-0x0000000001160000-0x0000000001484000-memory.dmp

memory/2700-10-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

memory/2700-11-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 02:03

Reported

2024-08-01 02:06

Platform

win10v2004-20240730-en

Max time kernel

125s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe

"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 10.2.0.2:4782 tcp
N/A 10.2.0.2:4782 tcp

Files

memory/2892-0-0x00007FFB28F93000-0x00007FFB28F95000-memory.dmp

memory/2892-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp

memory/2892-2-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 f9da53f4f072c15dbf78b015a10575a2
SHA1 96ea78662e9f44d6b4dcbbdc05bb4026188697ff
SHA256 dd37983f893fe6aec0c2721e910896122de0549306fbc60277c3adf8a991bd0c
SHA512 be39c735e3aa3a361b3ad2fd766182df0fa2dabbb50c3793f8d92d3c5ee1243d0111e2b40f47a2a68ab0a4e107bb50e411281b6d91fb4a17d0dfb8dd761dfa6f

memory/2892-8-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp

memory/3024-9-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp

memory/3024-10-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp

memory/3024-11-0x000000001B7D0000-0x000000001B820000-memory.dmp

memory/3024-12-0x000000001B8E0000-0x000000001B992000-memory.dmp

memory/3024-13-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp