quasar | 075d1d85bd0d343aa52f28b0f479c91248b8ffc72a263288490ffb76b1c8ccbe

Analysis

max time kernel
1046s
max time network
1053s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-11-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mas valores.exe
Size

3.1MB
MD5

96e2ea5919379a8b3a4f9356e76db7cf
SHA1

331e3e6adf0a64d6f3ebf7df02f3f009e0f4031d
SHA256

075d1d85bd0d343aa52f28b0f479c91248b8ffc72a263288490ffb76b1c8ccbe
SHA512

d02e8e126505f8c84fe164c1c71d1a2be76d97faf87de1210b5935c893af847ced72c8147e0c0c5ff1cff0e26d27ad970a8c0e91abf2a08ffb5e177cb1832197
SSDEEP

49152:zv+lL26AaNeWgPhlmVqvMQ7XSKVsRJ6zbR3LoGdxTTHHB72eh2NT:zvuL26AaNeWgPhlmVqkQ7XSKVsRJ6l

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Inversin-33856.portmap.host:33856

Mutex

addad9d5-e576-410c-a7ed-6fb91e2950f5

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4320-1-0x0000000000F80000-0x00000000012A4000-memory.dmp	family_quasar
behavioral1/files/0x00290000000450cd-3.dat	family_quasar

Checks computer location settings 2 TTPs 42 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 42 IoCs

Processes:

pid	Process
1616	Client.exe
1996	Client.exe
4032	Client.exe
3720	Client.exe
216	Client.exe
4556	Client.exe
1952	Client.exe
112	Client.exe
2484	Client.exe
2808	Client.exe
5080	Client.exe
4980	Client.exe
392	Client.exe
1200	Client.exe
3844	Client.exe
4768	Client.exe
1540	Client.exe
3564	Client.exe
2552	Client.exe
1548	Client.exe
524	Client.exe
1428	Client.exe
3052	Client.exe
2216	Client.exe
3844	Client.exe
1140	Client.exe
1736	Client.exe
472	Client.exe
4428	Client.exe
3656	Client.exe
3120	Client.exe
1756	Client.exe
1656	Client.exe
4148	Client.exe
1712	Client.exe
4188	Client.exe
3416	Client.exe
2780	Client.exe
4472	Client.exe
3008	Client.exe
3132	Client.exe
1772	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 42 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1564	PING.EXE
2112	PING.EXE
4616	PING.EXE
3268	PING.EXE
2396	PING.EXE
3020	PING.EXE
1004	PING.EXE
4140	PING.EXE
1196	PING.EXE
3236	PING.EXE
3120	PING.EXE
1288	PING.EXE
932	PING.EXE
4264	PING.EXE
1528	PING.EXE
1284	PING.EXE
4200	PING.EXE
2100	PING.EXE
4588	PING.EXE
220	PING.EXE
3384	PING.EXE
1280	PING.EXE
3852	PING.EXE
3904	PING.EXE
3872	PING.EXE
1648	PING.EXE
5060	PING.EXE
5076	PING.EXE
1140	PING.EXE
3416	PING.EXE
3764	PING.EXE
1456	PING.EXE
1916	PING.EXE
3124	PING.EXE
1628	PING.EXE
2104	PING.EXE
868	PING.EXE
3772	PING.EXE
4708	PING.EXE
1676	PING.EXE
1304	PING.EXE
728	PING.EXE

Runs ping.exe 1 TTPs 42 IoCs

Remote System Discovery

T1018

Processes:

pid	Process
3268	PING.EXE
1140	PING.EXE
1916	PING.EXE
1284	PING.EXE
868	PING.EXE
1288	PING.EXE
1304	PING.EXE
3772	PING.EXE
3124	PING.EXE
3236	PING.EXE
728	PING.EXE
1004	PING.EXE
3416	PING.EXE
3384	PING.EXE
1648	PING.EXE
3904	PING.EXE
2100	PING.EXE
5076	PING.EXE
1676	PING.EXE
1628	PING.EXE
4616	PING.EXE
2396	PING.EXE
5060	PING.EXE
1564	PING.EXE
1280	PING.EXE
2112	PING.EXE
4708	PING.EXE
1196	PING.EXE
3872	PING.EXE
3020	PING.EXE
4264	PING.EXE
1456	PING.EXE
3852	PING.EXE
932	PING.EXE
3120	PING.EXE
220	PING.EXE
3764	PING.EXE
1528	PING.EXE
2104	PING.EXE
4140	PING.EXE
4200	PING.EXE
4588	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2600	schtasks.exe
3092	schtasks.exe
2320	schtasks.exe
1552	schtasks.exe
3336	schtasks.exe
4396	schtasks.exe
864	schtasks.exe
3132	schtasks.exe
2400	schtasks.exe
520	schtasks.exe
1496	schtasks.exe
5108	schtasks.exe
920	schtasks.exe
3568	schtasks.exe
544	schtasks.exe
3108	schtasks.exe
4612	schtasks.exe
1132	schtasks.exe
2068	schtasks.exe
1468	schtasks.exe
2940	schtasks.exe
2160	schtasks.exe
4684	schtasks.exe
1656	schtasks.exe
4676	schtasks.exe
2028	schtasks.exe
4984	schtasks.exe
1344	schtasks.exe
2460	schtasks.exe
5016	schtasks.exe
2164	schtasks.exe
4228	schtasks.exe
2636	schtasks.exe
380	schtasks.exe
3264	schtasks.exe
2112	schtasks.exe
3864	schtasks.exe
3992	schtasks.exe
4068	schtasks.exe
2992	schtasks.exe
3352	schtasks.exe
2664	schtasks.exe
1556	schtasks.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid	Process
4