Malware Analysis Report

2025-01-22 08:33

Sample ID 241027-rm37kayble
Target 952-58-0x00000000002A0000-0x000000000085E000-memory.dmp
SHA256 771db719454b5ec22b4dbcf48b70cc50d204af748464a25bfdb448c6349362b6
Tags
themida nemesis quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

771db719454b5ec22b4dbcf48b70cc50d204af748464a25bfdb448c6349362b6

Threat Level: Known bad

The file 952-58-0x00000000002A0000-0x000000000085E000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

themida nemesis quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Themida packer

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 14:19

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 14:19

Reported

2024-10-27 14:19

Platform

win7-20240903-en

Max time kernel

0s

Max time network

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 14:19

Reported

2024-10-27 14:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows-updater00" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\952-58-0x00000000002A0000-0x000000000085E000-memory.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe

"C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "windows-updater00" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
CA 198.245.116.112:4782 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CA 198.245.116.112:4782 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
CA 198.245.116.112:4782 tcp
CA 198.245.116.112:4782 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
CA 198.245.116.112:4782 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
CA 198.245.116.112:4782 tcp
CA 198.245.116.112:4782 tcp

Files

memory/2428-0-0x00007FFB521E3000-0x00007FFB521E5000-memory.dmp

memory/2428-1-0x0000000000880000-0x0000000000E3E000-memory.dmp

memory/2428-2-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\nemesis.exe

MD5 67185f8ccc2121a0f036db08e761a388
SHA1 43ff5a9d7123902a0106dc1c380529320c5c5048
SHA256 771db719454b5ec22b4dbcf48b70cc50d204af748464a25bfdb448c6349362b6
SHA512 74bc7ec5cd0ae40b7db6cdb527b70fad00256829993d43fa721bed3023d235062f21179d032f304f5b4d3a68b5ad6cbd972cbe2099f6149be6cf8bfbe6cbf14b

memory/2128-8-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp

memory/2428-9-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp

memory/2128-10-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp

memory/2128-11-0x000000001C720000-0x000000001C770000-memory.dmp

memory/2128-12-0x000000001CA30000-0x000000001CAE2000-memory.dmp

memory/2128-13-0x00007FFB521E0000-0x00007FFB52CA1000-memory.dmp