Malware Analysis Report

2025-01-18 04:11

Sample ID 241101-3q126aykbk
Target RustRCSController.exe
SHA256 5ed9d60854afed41799f5c6afe30d99e8b20bd14f22f189c5fea0f5f6d7c4835
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ed9d60854afed41799f5c6afe30d99e8b20bd14f22f189c5fea0f5f6d7c4835

Threat Level: Known bad

The file RustRCSController.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-01 23:43

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-01 23:43

Reported

2024-11-01 23:44

Platform

win11-20241007-en

Max time kernel

29s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RustRCSController.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustRCSController.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RustRCSController.exe

"C:\Users\Admin\AppData\Local\Temp\RustRCSController.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe

"C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe" /rl HIGHEST /f

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
N/A 192.168.254.105:4782 tcp
N/A 192.168.254.105:4782 tcp
N/A 88.221.134.251:443 tcp
SE 192.229.221.95:80 tcp

Files

memory/496-0-0x00007FF8EB363000-0x00007FF8EB365000-memory.dmp

memory/496-1-0x00000000001E0000-0x0000000000504000-memory.dmp

memory/496-2-0x00007FF8EB360000-0x00007FF8EBE22000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\RustRCSController.exe

MD5 be28df7fa7d56618aa9d68f128f1ad6e
SHA1 f7057f68a15d4bb16a4879ae5e86add4de34d130
SHA256 5ed9d60854afed41799f5c6afe30d99e8b20bd14f22f189c5fea0f5f6d7c4835
SHA512 1367c799c758c62b65dc75fc85fcdf1838aa9b52a480dc60bd27fdad468ccd2890e60e4f7966a8f263e6173fe9e3493ec01387525b1acfc0730ce1cb84e156d6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RustRCSController.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

memory/4296-10-0x00007FF8EB360000-0x00007FF8EBE22000-memory.dmp

memory/496-11-0x00007FF8EB360000-0x00007FF8EBE22000-memory.dmp

memory/4296-12-0x00007FF8EB360000-0x00007FF8EBE22000-memory.dmp

memory/4296-13-0x000000001C0E0000-0x000000001C130000-memory.dmp

memory/4296-14-0x000000001C1F0000-0x000000001C2A2000-memory.dmp

memory/4296-15-0x00007FF8EB360000-0x00007FF8EBE22000-memory.dmp