Malware Analysis Report

2024-10-23 21:24

Sample ID 240802-vmr13sscqr
Target Solara Executor V2.rar
SHA256 a83f40624d7d8f6f769e672c41a72785bb623fa6f87640aac16cd7300599b21e
Tags
office04 quasar spyware trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a83f40624d7d8f6f769e672c41a72785bb623fa6f87640aac16cd7300599b21e

Threat Level: Known bad

The file Solara Executor V2.rar was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan discovery

Quasar family

Quasar payload

Quasar RAT

Deletes itself

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-02 17:06

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-02 17:06

Reported

2024-08-02 17:13

Platform

win11-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe

"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Download (RUN FIRST).exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "SolaraExecutor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "SolaraExecutor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe" /rl HIGHEST /f

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 192.168.68.119:4782 tcp
US 8.8.8.8:53 realwz-34142.portmap.host udp
DE 193.161.193.99:34142 realwz-34142.portmap.host tcp
N/A 192.168.68.119:4782 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 193.161.193.99:34142 realwz-34142.portmap.host tcp
N/A 192.168.68.119:4782 tcp
DE 193.161.193.99:34142 realwz-34142.portmap.host tcp
N/A 192.168.68.119:4782 tcp
DE 193.161.193.99:34142 realwz-34142.portmap.host tcp
N/A 192.168.68.119:4782 tcp
DE 193.161.193.99:34142 realwz-34142.portmap.host tcp

Files

memory/3080-0-0x00007FFECF253000-0x00007FFECF255000-memory.dmp

memory/3080-1-0x00000000007D0000-0x0000000000AF4000-memory.dmp

memory/3080-2-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Downloader.exe

MD5 c23404d4606f1e49bfc9efff359ed317
SHA1 da2904b0f8e16119576e389c0d77c2b4c96baf9e
SHA256 00345f840ce5cc3045c67e63e93f2fb438963eeb13a8d8587e2b196d4bc79591
SHA512 30bb2f181342ab8e9c8bd851d554bedb6f87a91021b2a521ed02313ec146083920b33cc3a28135fb4b45f6103dc0c8fb01ba61096ece3ad23e2e5d3cd5720407

memory/3080-10-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

memory/1304-9-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

memory/1304-11-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

memory/1304-12-0x000000001C0F0000-0x000000001C140000-memory.dmp

memory/1304-13-0x000000001C200000-0x000000001C2B2000-memory.dmp

memory/1304-14-0x00007FFECF250000-0x00007FFECFD12000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-02 17:06

Reported

2024-08-02 17:12

Platform

win11-20240802-en

Max time kernel

61s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe

"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe"

C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe

"C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\Solara Executor.exe" --isUpdate true

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 104.20.4.235:443 pastebin.com tcp
GB 128.116.119.4:443 clientsettings.roblox.com tcp

Files

memory/4648-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

memory/4648-1-0x0000000000290000-0x000000000035E000-memory.dmp

memory/4648-2-0x00000000742D0000-0x0000000074A81000-memory.dmp

memory/4648-3-0x00000000057F0000-0x0000000005812000-memory.dmp

memory/4648-4-0x0000000005820000-0x0000000005B77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara Executor V2\BootstrapperV1.11.exe

MD5 365971e549352a15e150b60294ec2e57
SHA1 2932242b427e81b1b4ac8c11fb17793eae0939f7
SHA256 faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42
SHA512 f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

memory/4648-16-0x00000000742D0000-0x0000000074A81000-memory.dmp

memory/3148-18-0x00000000005D0000-0x000000000069E000-memory.dmp

memory/3148-19-0x00000000742D0000-0x0000000074A81000-memory.dmp

memory/3148-20-0x00000000742D0000-0x0000000074A81000-memory.dmp

memory/3148-21-0x00000000742D0000-0x0000000074A81000-memory.dmp