quasar | 5ba2abf6557f3c88e379fab1b387689f6c3a6ee76f353fe95c1df5874e55e6a2

Analysis

max time kernel
168s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

59bf2f79aa09f7a589fb5bd08c0d0a14
SHA1

5660d61d1917c74812df882c0022c2431fefef7f
SHA256

5ba2abf6557f3c88e379fab1b387689f6c3a6ee76f353fe95c1df5874e55e6a2
SHA512

1aad8dfb43ff8a2036b7c7755709c71c053a5752026957aa1aa4cc1a33a8eef8afbba130fa36c14bc152476d16c644af3759bfaa643c2cd5482f912a4c436b8e
SSDEEP

49152:rvXI22SsaNYfdPBldt698dBcjHdP4YatoEBep8oG3c9THHB72eh2NT:rvY22SsaNYfdPBldt6+dBcjHdP4zW

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.104:4782

Mutex

f7007fc1-3c9f-44f5-9f4a-a1b906b51b44

Attributes

encryption_key
97E9CFF0CDEC31A610D73E8D91954B5BF77F8F47
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Checker
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1564-1-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar
behavioral1/files/0x00070000000234d1-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2644	Client.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe
1196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4192	msedge.exe
4192	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	Client-built.exe
Token: SeDebugPrivilege	2644	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1980	1564	Client-built.exe	88
PID 1564 wrote to memory of 1980	1564	Client-built.exe	88
PID 1564 wrote to memory of 2644	1564	Client-built.exe	90
PID 1564 wrote to memory of 2644	1564	Client-built.exe	90
PID 2644 wrote to memory of 1196	2644	Client.exe	91
PID 2644 wrote to memory of 1196	2644	Client.exe	91
PID 2680 wrote to memory of 1468	2680	msedge.exe	128
PID 2680 wrote to memory of 1468	2680	msedge.exe	128
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 1420	2680	msedge.exe	129
PID 2680 wrote to memory of 4192	2680	msedge.exe	130
PID 2680 wrote to memory of 4192	2680	msedge.exe	130
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131
PID 2680 wrote to memory of 4884	2680	msedge.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1980
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9c7e566ehb411h4efeh9d53hc8304bb7d30c
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb9f8f46f8,0x7ffb9f8f4708,0x7ffb9f8f4718
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11331629872545311807,964744034957941044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,11331629872545311807,964744034957941044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,11331629872545311807,964744034957941044,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a66a71205862ff140ebe17c2dd1336e

SHA1
56a8805da6b068ebe049ae351eecd245e4b040e5

SHA256
bb53b024f9645b790ebe87b67923c903ce022e20aa675fb6874ce6121b0240e6

SHA512
1c45628b1a279a0d8d5978e8c4fcf368cf74e88d4490e6140f1abd5ac29313f107ef7adb2987ca8644375d9dd16575432d59d7e74def261805387829617330ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4dc201b5b12ac05c0ad45282548fdca9

SHA1
256658f779074c9a6c5cb67f811aee8003085895

SHA256
ac45f1fea0af6a531d8c4b7762331bff0e0807a57812a0dbda308f54ba0dbe89

SHA512
e037a224d180bff7177e2d9af7461970b8b59841c4ac22abe39d0423018374c71d4f141203e9cb4af656bda172a94d0d0692e8fda4d7e8d434bbcd050b82e61d

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
59bf2f79aa09f7a589fb5bd08c0d0a14

SHA1
5660d61d1917c74812df882c0022c2431fefef7f

SHA256
5ba2abf6557f3c88e379fab1b387689f6c3a6ee76f353fe95c1df5874e55e6a2

SHA512
1aad8dfb43ff8a2036b7c7755709c71c053a5752026957aa1aa4cc1a33a8eef8afbba130fa36c14bc152476d16c644af3759bfaa643c2cd5482f912a4c436b8e

Download Submit
memory/1564-1-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/1564-2-0x00007FFBA63E0000-0x00007FFBA6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1564-10-0x00007FFBA63E0000-0x00007FFBA6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1564-0-0x00007FFBA63E3000-0x00007FFBA63E5000-memory.dmp

Filesize
8KB

Download
memory/2644-11-0x00007FFBA63E0000-0x00007FFBA6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-14-0x00007FFBA63E0000-0x00007FFBA6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-13-0x000000001BE90000-0x000000001BF42000-memory.dmp

Filesize
712KB

Download
memory/2644-12-0x0000000002A00000-0x0000000002A50000-memory.dmp

Filesize
320KB

Download
memory/2644-9-0x00007FFBA63E0000-0x00007FFBA6EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-64-0x000000001C7C0000-0x000000001CCE8000-memory.dmp

Filesize
5.2MB

Download