Malware Analysis Report

2025-03-15 06:24

Sample ID 240930-2nlzsasfld
Target ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N
SHA256 ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70
Tags
quasar hacked discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70

Threat Level: Known bad

The file ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N was found to be: Known bad.

Malicious Activity Summary

quasar hacked discovery spyware trojan

Quasar RAT

Quasar payload

Drops startup file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 22:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 22:43

Reported

2024-09-30 22:45

Platform

win7-20240903-en

Max time kernel

115s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 1.tcp.sa.ngrok.io N/A N/A
N/A 1.tcp.sa.ngrok.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe

"C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe"

C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe

"C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 firebasestorage.googleapis.com udp
GB 172.217.169.42:443 firebasestorage.googleapis.com tcp
US 8.8.8.8:53 1.tcp.sa.ngrok.io udp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 1.tcp.sa.ngrok.io udp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:20545 1.tcp.sa.ngrok.io tcp

Files

memory/1944-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

memory/1944-1-0x0000000000C30000-0x0000000000C38000-memory.dmp

memory/1944-4-0x0000000074C60000-0x000000007534E000-memory.dmp

\Users\Admin\AppData\Local\Temp\downloaded_exe.exe

MD5 95987c727f465f760652339082f0e4d1
SHA1 fa3ac56456f4a243a22b780e0f5acbaeda553f33
SHA256 bd37ec6eb02875146d2ec01acbf5c0a58992eda86391489df1dce6485351ef88
SHA512 752b1e7cf1daf5a4a68cb80a517126f1aa6b1f91ce0409ba197bba45b3f4c483f6b22e16749d2df78b42c92e25b9b85d47f79cd359397d30f6f33b690eb593a9

memory/2696-11-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

memory/2696-12-0x0000000000A00000-0x0000000000D24000-memory.dmp

memory/2696-13-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/1944-14-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

memory/1944-15-0x0000000074C60000-0x000000007534E000-memory.dmp

memory/2696-16-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

memory/2696-17-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 22:43

Reported

2024-09-30 22:45

Platform

win10v2004-20240802-en

Max time kernel

116s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 1.tcp.sa.ngrok.io N/A N/A
N/A 1.tcp.sa.ngrok.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe

"C:\Users\Admin\AppData\Local\Temp\ed7f226ee28ac5db0fa9b8409b307297e47db8ab3c13c54554554bc085a73c70N.exe"

C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe

"C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 firebasestorage.googleapis.com udp
GB 142.250.200.42:443 firebasestorage.googleapis.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.tcp.sa.ngrok.io udp
BR 18.228.115.60:20545 1.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
BR 18.228.115.60:20545 1.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BR 18.228.115.60:20545 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:20545 1.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BR 18.228.115.60:20545 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:20545 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:20545 1.tcp.sa.ngrok.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.tcp.sa.ngrok.io udp
BR 18.231.93.153:20545 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:20545 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:20545 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:20545 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:20545 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:20545 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:20545 1.tcp.sa.ngrok.io tcp

Files

memory/2128-0-0x000000007491E000-0x000000007491F000-memory.dmp

memory/2128-1-0x0000000000B20000-0x0000000000B28000-memory.dmp

memory/2128-4-0x0000000074910000-0x00000000750C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\downloaded_exe.exe

MD5 95987c727f465f760652339082f0e4d1
SHA1 fa3ac56456f4a243a22b780e0f5acbaeda553f33
SHA256 bd37ec6eb02875146d2ec01acbf5c0a58992eda86391489df1dce6485351ef88
SHA512 752b1e7cf1daf5a4a68cb80a517126f1aa6b1f91ce0409ba197bba45b3f4c483f6b22e16749d2df78b42c92e25b9b85d47f79cd359397d30f6f33b690eb593a9

memory/2692-16-0x00007FFD03D63000-0x00007FFD03D65000-memory.dmp

memory/2692-17-0x0000000000AA0000-0x0000000000DC4000-memory.dmp

memory/2692-18-0x00007FFD03D60000-0x00007FFD04821000-memory.dmp

memory/2692-19-0x000000001D5C0000-0x000000001D610000-memory.dmp

memory/2692-20-0x000000001D6D0000-0x000000001D782000-memory.dmp

memory/2128-21-0x000000007491E000-0x000000007491F000-memory.dmp

memory/2128-22-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/2692-23-0x00007FFD03D63000-0x00007FFD03D65000-memory.dmp

memory/2692-24-0x00007FFD03D60000-0x00007FFD04821000-memory.dmp