quasar | 3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoogleChrome.exe
Size

690KB
MD5

5818f4fecb0dcc52227035dc0d88830b
SHA1

ccda411e1e7c643308f8c643b384ec979c185787
SHA256

1416bd55b04a4d8299c3e976e4e6a160850471e330d25f332f70d8ca618de894
SHA512

b245d21747c40722fd8c53a8bef3acb17aabce894ec6213547a2554f4c4f168b1d43f9a2f1383f4bfd4ccd436e3034d7aa64c6118aff9d886ea39c05ad7bb81f
SSDEEP

12288:jTEgdfY8l6hdV6l4et8klwIdctVdrcdirMBgJS9UOIK3:8UwBD6lbt8ufcVrcdiMCJSuOIK3

Score

10^/10

quasar test spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Test

scambaiting2022.ddns.net:25565

192.168.1.3:25565

Mutex

41845399-4858-4791-bd1c-b2526f38e8cc

Attributes

encryption_key
77693888CF811B44AE75658ADBCA8897192A96FF
install_name
update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Chrome Update
subdirectory
Chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1660-1-0x0000000000D00000-0x0000000000DB2000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Chrome\update.exe	family_quasar
behavioral9/memory/2656-7-0x0000000000020000-0x00000000000D2000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

2656 update.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3040 schtasks.exe
2820 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GoogleChrome.exeupdate.exe

description pid process

Token: SeDebugPrivilege 1660 GoogleChrome.exe
Token: SeDebugPrivilege 2656 update.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

update.exe

pid process

2656 update.exe

pid	process
2656	update.exe

pid	process
3040	schtasks.exe
2820	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1660	GoogleChrome.exe
Token: SeDebugPrivilege	2656	update.exe

pid	process
2656	update.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

GoogleChrome.exeupdate.exe

description	pid	process	target process
PID 1660 wrote to memory of 3040	1660	GoogleChrome.exe	schtasks.exe
PID 1660 wrote to memory of 3040	1660	GoogleChrome.exe	schtasks.exe
PID 1660 wrote to memory of 3040	1660	GoogleChrome.exe	schtasks.exe
PID 1660 wrote to memory of 2656	1660	GoogleChrome.exe	update.exe
PID 1660 wrote to memory of 2656	1660	GoogleChrome.exe	update.exe
PID 1660 wrote to memory of 2656	1660	GoogleChrome.exe	update.exe
PID 2656 wrote to memory of 2820	2656	update.exe	schtasks.exe
PID 2656 wrote to memory of 2820	2656	update.exe	schtasks.exe
PID 2656 wrote to memory of 2820	2656	update.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GoogleChrome.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleChrome.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Chrome Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\GoogleChrome.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3040
- C:\Users\Admin\AppData\Roaming\Chrome\update.exe
  "C:\Users\Admin\AppData\Roaming\Chrome\update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Chrome Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Chrome\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chrome\update.exe

Filesize
690KB

MD5
5818f4fecb0dcc52227035dc0d88830b

SHA1
ccda411e1e7c643308f8c643b384ec979c185787

SHA256
1416bd55b04a4d8299c3e976e4e6a160850471e330d25f332f70d8ca618de894

SHA512
b245d21747c40722fd8c53a8bef3acb17aabce894ec6213547a2554f4c4f168b1d43f9a2f1383f4bfd4ccd436e3034d7aa64c6118aff9d886ea39c05ad7bb81f

Download Submit
memory/1660-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x0000000000D00000-0x0000000000DB2000-memory.dmp

Filesize
712KB

Download
memory/1660-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1660-9-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-7-0x0000000000020000-0x00000000000D2000-memory.dmp

Filesize
712KB

Download
memory/2656-10-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-8-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-11-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download