quasar | d600758023374f78d58acafbcaf94af66ad203b28e22a305e2a9d53768b7030f

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d600758023374f78d58acafbcaf94af66ad203b28e22a.exe
Size

3.3MB
MD5

e089ca24836249976e2d5dca3678e807
SHA1

8cf9c018fc37aa609b08d49de20e9856b643305b
SHA256

d600758023374f78d58acafbcaf94af66ad203b28e22a305e2a9d53768b7030f
SHA512

76173c832baf4f003f7a2242b1daa8e4021320040de84125d1796c8b67dc2582b607efa77d386db38f6eda5dec892c9fc947b1930695d14687391537aa060f5a
SSDEEP

49152:pvPI22SsaNYfdPBldt698dBcjHkxOEMk8k/JxpoGdCYTHHB72eh2NTf:pvA22SsaNYfdPBldt6+dBcjHkxnby

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

173.214.167.207:4782

Mutex

feefbbd1-f830-4abb-beee-ba55da8cb629

Attributes

encryption_key
51CB1F5A5C66153C4F993F7F3638B35B3A7597B3
install_name
DefenderScan.exe
log_directory
init
reconnect_delay
3000
startup_key
Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2884-1-0x0000000001370000-0x00000000016BC000-memory.dmp	family_quasar
behavioral1/files/0x002e000000018baf-5.dat	family_quasar
behavioral1/memory/2224-8-0x0000000000D40000-0x000000000108C000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

DefenderScan.exe

pid	Process
2224	DefenderScan.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d600758023374f78d58acafbcaf94af66ad203b28e22a.exeDefenderScan.exe

description	pid	Process
Token: SeDebugPrivilege	2884	d600758023374f78d58acafbcaf94af66ad203b28e22a.exe
Token: SeDebugPrivilege	2224	DefenderScan.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DefenderScan.exe

pid	Process
2224	DefenderScan.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d600758023374f78d58acafbcaf94af66ad203b28e22a.exe

description	pid	Process	procid_target
PID 2884 wrote to memory of 2224	2884	d600758023374f78d58acafbcaf94af66ad203b28e22a.exe	30
PID 2884 wrote to memory of 2224	2884	d600758023374f78d58acafbcaf94af66ad203b28e22a.exe	30
PID 2884 wrote to memory of 2224	2884	d600758023374f78d58acafbcaf94af66ad203b28e22a.exe	30

C:\Users\Admin\AppData\Local\Temp\d600758023374f78d58acafbcaf94af66ad203b28e22a.exe
"C:\Users\Admin\AppData\Local\Temp\d600758023374f78d58acafbcaf94af66ad203b28e22a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Roaming\SubDir\DefenderScan.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\DefenderScan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\DefenderScan.exe

Filesize
3.3MB

MD5
e089ca24836249976e2d5dca3678e807

SHA1
8cf9c018fc37aa609b08d49de20e9856b643305b

SHA256
d600758023374f78d58acafbcaf94af66ad203b28e22a305e2a9d53768b7030f

SHA512
76173c832baf4f003f7a2242b1daa8e4021320040de84125d1796c8b67dc2582b607efa77d386db38f6eda5dec892c9fc947b1930695d14687391537aa060f5a

Download Submit
memory/2224-7-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2224-8-0x0000000000D40000-0x000000000108C000-memory.dmp

Filesize
3.3MB

Download
memory/2224-10-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2224-11-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x0000000001370000-0x00000000016BC000-memory.dmp

Filesize
3.3MB

Download
memory/2884-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-9-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download