quasar | aa3170ce6b4bbd9960ac0ccd60f7d0b39cc0d28254bfe73545b540cbd8444b21

Resubmissions

15/10/2024, 18:43

241015-xcv14avdjn 10

15/10/2024, 00:19

15/10/2024, 00:16

14/10/2024, 23:42

14/10/2024, 23:27

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15/10/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

e35d832888fda0fd705386a4b94ecc49
SHA1

86380c3eea496c7947c25c547748cfeed51c4de9
SHA256

aa3170ce6b4bbd9960ac0ccd60f7d0b39cc0d28254bfe73545b540cbd8444b21
SHA512

60d6aec705948474fa007dad26fdba9b92dcb1098aefb4eed2898af7b048729e4a3ee5af7e7b9ca9e555b97b54f6d97007dfc1531d0abb9e5da01b5911c5fd63
SSDEEP

49152:Av4lL26AaNeWgPhlmVqvMQ7XSKNEREuY4oGdPwTHHB72eh2NT:AvQL26AaNeWgPhlmVqkQ7XSKmREuT

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

HomoThugger-36407.portmap.host:36407

Mutex

42d6f4c0-e8fc-473a-b92d-ded3fb29334a

Attributes

encryption_key
3CDA48FEB25557C87485A9F37CDC861398BEA3C7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/416-1-0x00000000004D0000-0x00000000007F4000-memory.dmp	family_quasar

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133734251251276377"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	416	Client-built.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
416	Client-built.exe
416	Client-built.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
416	Client-built.exe
416	Client-built.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 2592	416	Client-built.exe	77
PID 416 wrote to memory of 2592	416	Client-built.exe	77
PID 1868 wrote to memory of 1684	1868	chrome.exe	83
PID 1868 wrote to memory of 1684	1868	chrome.exe	83
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 2104	1868	chrome.exe	84
PID 1868 wrote to memory of 4404	1868	chrome.exe	85
PID 1868 wrote to memory of 4404	1868	chrome.exe	85
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86
PID 1868 wrote to memory of 1832	1868	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff925d9cc40,0x7ff925d9cc4c,0x7ff925d9cc58
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4256,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4264 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4292 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5084,i,3877914578706548399,858809101923877627,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3780

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b8239bef3866cfd07b09ebb0f98a62e0

SHA1
429fc50f6a1d6862a036143e61a83e47da7dafb8

SHA256
f1594115c4270e56dd250e8f7c178fd48b22058fb94f5bf9e44e2fa0c2435741

SHA512
76632ed714cb0bbe0058779bfee276ddeb328a1caa0c15cafa17cf8410c329e2984474c7691350db07f4677de0e8b2688a9ba493864fdc3833944ef7c3dbb1d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46ef428f1cee8218f3065769c89094e5

SHA1
23bfd28fbab8f5eecdaa5df1a389dbad52e7aef4

SHA256
67ff5959b210761eb703c158c7a6842498d04be893bc0d6de72f165bd0694879

SHA512
6d56aa1f2da00cacb015459d19049886106b8f3d2305271ed4cf34dd8ab28b79c6b88f5b6239396bcf2bcf853705a831ceb8538bb587318d3f785a2da7ba86d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
98cf8ecf2a9e519cc8eff67f35d854c3

SHA1
2abf978f6b7ac69038bcb233f2c05ebb99b3869a

SHA256
cd2f44fab015dc435f66d30600bff3442311b0f2b58e55097ec71ea8a37483bb

SHA512
61abfee48440b4ee02cce825ab2ef33c95a699b8362cd87a282587ec3dbc2425596d3718134f496bf97a0ebef0d88fc4b17606eb8d6ab67dfb8064040bdf082a

Download Submit
memory/416-3-0x000000001C350000-0x000000001C3A0000-memory.dmp

Filesize
320KB

Download
memory/416-8-0x000000001C420000-0x000000001C45C000-memory.dmp

Filesize
240KB

Download
memory/416-9-0x00007FF9166B3000-0x00007FF9166B5000-memory.dmp

Filesize
8KB

Download
memory/416-10-0x00007FF9166B0000-0x00007FF917172000-memory.dmp

Filesize
10.8MB

Download
memory/416-7-0x000000001C3C0000-0x000000001C3D2000-memory.dmp

Filesize
72KB

Download
memory/416-4-0x000000001C460000-0x000000001C512000-memory.dmp

Filesize
712KB

Download
memory/416-0-0x00007FF9166B3000-0x00007FF9166B5000-memory.dmp

Filesize
8KB

Download
memory/416-2-0x00007FF9166B0000-0x00007FF917172000-memory.dmp

Filesize
10.8MB

Download
memory/416-1-0x00000000004D0000-0x00000000007F4000-memory.dmp

Filesize
3.1MB

Download