Malware Analysis Report

2025-04-13 11:54

Sample ID 240818-1t3ztawhpc
Target Client-built.exe
SHA256 88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896
Tags
skids quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

skids quasar spyware trojan

Quasar RAT

Quasar payload

Quasar family

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 21:57

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 21:57

Reported

2024-08-18 22:00

Platform

win7-20240729-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Windows C:\Windows\system32\Windows\Windows Host Process.exe N/A
File created C:\Windows\system32\Windows\Windows Host Process.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\Windows C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe C:\Windows\system32\Windows\Windows Host Process.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f

C:\Windows\system32\Windows\Windows Host Process.exe

"C:\Windows\system32\Windows\Windows Host Process.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp

Files

memory/3000-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

memory/3000-1-0x0000000000DB0000-0x0000000001106000-memory.dmp

memory/3000-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

C:\Windows\System32\Windows\Windows Host Process.exe

MD5 280cdb0f182b4fca9cd0fd87ab0f9551
SHA1 b7631a3d0bc305c70f1a0711ca0d3b03d82252ec
SHA256 88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896
SHA512 d35ec454f18987a700506e1585cfd313906a3e2ab868040b38bba3682ab61b78dc4eec224c23fb8309a8cbd6ae664299940ec8d00afbc0ffaf1a248230c1c8cd

memory/2816-9-0x0000000001310000-0x0000000001666000-memory.dmp

memory/3000-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2816-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2816-11-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2816-12-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 21:57

Reported

2024-08-18 22:04

Platform

win10v2004-20240802-en

Max time kernel

444s

Max time network

448s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\Windows C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe C:\Windows\system32\Windows\Windows Host Process.exe N/A
File opened for modification C:\Windows\system32\Windows C:\Windows\system32\Windows\Windows Host Process.exe N/A
File created C:\Windows\system32\Windows\Windows Host Process.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\Windows\Windows Host Process.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f

C:\Windows\system32\Windows\Windows Host Process.exe

"C:\Windows\system32\Windows\Windows Host Process.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 37.58.20.217.in-addr.arpa udp
US 147.185.221.22:6712 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 147.185.221.22:6712 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 147.185.221.22:6712 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.22:6712 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.22:6712 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp
US 147.185.221.22:6712 tcp

Files

memory/376-0-0x00007FFA93AE3000-0x00007FFA93AE5000-memory.dmp

memory/376-1-0x0000000000190000-0x00000000004E6000-memory.dmp

memory/376-2-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp

C:\Windows\System32\Windows\Windows Host Process.exe

MD5 280cdb0f182b4fca9cd0fd87ab0f9551
SHA1 b7631a3d0bc305c70f1a0711ca0d3b03d82252ec
SHA256 88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896
SHA512 d35ec454f18987a700506e1585cfd313906a3e2ab868040b38bba3682ab61b78dc4eec224c23fb8309a8cbd6ae664299940ec8d00afbc0ffaf1a248230c1c8cd

memory/2136-10-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp

memory/376-9-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp

memory/2136-11-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp

memory/2136-12-0x000000001BBD0000-0x000000001BC20000-memory.dmp

memory/2136-13-0x000000001BCE0000-0x000000001BD92000-memory.dmp

memory/2136-14-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp