Malware Analysis Report

2024-10-23 21:24

Sample ID 240804-y5kw9svemr
Target fa3f8212e3f1cf885d35ea36ef891350N.exe
SHA256 78d043a6604624a4dbce3e3b284e49a297768218407213f17b5bfce17d97b6d5
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78d043a6604624a4dbce3e3b284e49a297768218407213f17b5bfce17d97b6d5

Threat Level: Known bad

The file fa3f8212e3f1cf885d35ea36ef891350N.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar payload

Quasar RAT

Quasar family

Executes dropped EXE

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 20:22

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 20:22

Reported

2024-08-04 20:24

Platform

win7-20240729-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe

"C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.1.19:4782 tcp
N/A 192.168.1.19:4782 tcp
N/A 192.168.1.19:4782 tcp
N/A 192.168.1.19:4782 tcp
N/A 192.168.1.19:4782 tcp

Files

memory/2088-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

memory/2088-1-0x0000000001070000-0x0000000001394000-memory.dmp

memory/2088-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa3f8212e3f1cf885d35ea36ef891350
SHA1 49759e579fffe208716703aed27aa057913a6e08
SHA256 78d043a6604624a4dbce3e3b284e49a297768218407213f17b5bfce17d97b6d5
SHA512 98343b8274d5036613f04e17315de729e780f2441ba7be5d9f6bef2f314124c6caf8dd170f1b6479c9ec37225ebf40672f2303bb6814f018683a14a7cc166a0f

memory/2452-8-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

memory/2088-10-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

memory/2452-9-0x0000000001030000-0x0000000001354000-memory.dmp

memory/2452-11-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

memory/2452-12-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 20:22

Reported

2024-08-04 20:24

Platform

win10v2004-20240802-en

Max time kernel

101s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe

"C:\Users\Admin\AppData\Local\Temp\fa3f8212e3f1cf885d35ea36ef891350N.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 192.168.1.19:4782 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
N/A 192.168.1.19:4782 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
N/A 192.168.1.19:4782 tcp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
N/A 192.168.1.19:4782 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
N/A 192.168.1.19:4782 tcp

Files

memory/3264-0-0x00007FFBA6B53000-0x00007FFBA6B55000-memory.dmp

memory/3264-1-0x0000000000170000-0x0000000000494000-memory.dmp

memory/3264-2-0x00007FFBA6B50000-0x00007FFBA7611000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 fa3f8212e3f1cf885d35ea36ef891350
SHA1 49759e579fffe208716703aed27aa057913a6e08
SHA256 78d043a6604624a4dbce3e3b284e49a297768218407213f17b5bfce17d97b6d5
SHA512 98343b8274d5036613f04e17315de729e780f2441ba7be5d9f6bef2f314124c6caf8dd170f1b6479c9ec37225ebf40672f2303bb6814f018683a14a7cc166a0f

memory/4148-10-0x00007FFBA6B50000-0x00007FFBA7611000-memory.dmp

memory/3264-9-0x00007FFBA6B50000-0x00007FFBA7611000-memory.dmp

memory/4148-11-0x00007FFBA6B50000-0x00007FFBA7611000-memory.dmp

memory/4148-12-0x000000001BAA0000-0x000000001BAF0000-memory.dmp

memory/4148-13-0x000000001C2B0000-0x000000001C362000-memory.dmp

memory/4148-14-0x00007FFBA6B50000-0x00007FFBA7611000-memory.dmp