quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
71s
max time network
76s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-11-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\kreo q zi.exe	family_quasar
behavioral1/memory/3424-5-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

kreo q zi.exeClient.exe

pid process

3424 kreo q zi.exe
464 Client.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2428 schtasks.exe
2524 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

472 7zFM.exe

pid	process
3424	kreo q zi.exe
464	Client.exe

pid	process
2428	schtasks.exe
2524	schtasks.exe

pid	process
472	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exekreo q zi.exeClient.exe

description	pid	process
Token: SeRestorePrivilege	472	7zFM.exe
Token: 35	472	7zFM.exe
Token: SeSecurityPrivilege	472	7zFM.exe
Token: SeDebugPrivilege	3424	kreo q zi.exe
Token: SeDebugPrivilege	464	Client.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

472 7zFM.exe
472 7zFM.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

464 Client.exe

pid	process
472	7zFM.exe
472	7zFM.exe

pid	process
464	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

kreo q zi.exeClient.exe

description	pid	process	target process
PID 3424 wrote to memory of 2428	3424	kreo q zi.exe	schtasks.exe
PID 3424 wrote to memory of 2428	3424	kreo q zi.exe	schtasks.exe
PID 3424 wrote to memory of 464	3424	kreo q zi.exe	Client.exe
PID 3424 wrote to memory of 464	3424	kreo q zi.exe	Client.exe
PID 464 wrote to memory of 2524	464	Client.exe	schtasks.exe
PID 464 wrote to memory of 2524	464	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:472

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2428
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
memory/464-10-0x000000001C8B0000-0x000000001C900000-memory.dmp

Filesize
320KB

Download
memory/464-11-0x000000001C9C0000-0x000000001CA72000-memory.dmp

Filesize
712KB

Download
memory/464-14-0x000000001C930000-0x000000001C942000-memory.dmp

Filesize
72KB

Download
memory/464-15-0x000000001D4C0000-0x000000001D4FC000-memory.dmp

Filesize
240KB

Download
memory/464-16-0x000000001C950000-0x000000001C980000-memory.dmp

Filesize
192KB

Download
memory/3424-4-0x00007FF9721C3000-0x00007FF9721C5000-memory.dmp

Filesize
8KB

Download
memory/3424-5-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/3424-6-0x00007FF9721C0000-0x00007FF972C82000-memory.dmp

Filesize
10.8MB

Download
memory/3424-9-0x00007FF9721C0000-0x00007FF972C82000-memory.dmp

Filesize
10.8MB

Download