quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
38s
max time network
39s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/11/2024, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000450c4-2.dat	family_quasar
behavioral1/memory/3736-5-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 5 IoCs

pid	Process
3736	kreo q zi.exe
1732	Client.exe
3280	Client.exe
1716	Client.exe
3208	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1864	PING.EXE
736	PING.EXE
116	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1864	PING.EXE
736	PING.EXE
116	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3192	schtasks.exe
3500	schtasks.exe
580	schtasks.exe
2176	schtasks.exe
4676	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2404	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2404	7zFM.exe
Token: 35	2404	7zFM.exe
Token: SeSecurityPrivilege	2404	7zFM.exe
Token: SeDebugPrivilege	3736	kreo q zi.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	3280	Client.exe
Token: SeDebugPrivilege	1716	Client.exe
Token: SeDebugPrivilege	3208	Client.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2404	7zFM.exe
2404	7zFM.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3192	3736	kreo q zi.exe	91
PID 3736 wrote to memory of 3192	3736	kreo q zi.exe	91
PID 3736 wrote to memory of 1732	3736	kreo q zi.exe	93
PID 3736 wrote to memory of 1732	3736	kreo q zi.exe	93
PID 1732 wrote to memory of 3500	1732	Client.exe	94
PID 1732 wrote to memory of 3500	1732	Client.exe	94
PID 1732 wrote to memory of 2452	1732	Client.exe	96
PID 1732 wrote to memory of 2452	1732	Client.exe	96
PID 2452 wrote to memory of 3548	2452	cmd.exe	98
PID 2452 wrote to memory of 3548	2452	cmd.exe	98
PID 2452 wrote to memory of 1864	2452	cmd.exe	99
PID 2452 wrote to memory of 1864	2452	cmd.exe	99
PID 2452 wrote to memory of 3280	2452	cmd.exe	102
PID 2452 wrote to memory of 3280	2452	cmd.exe	102
PID 3280 wrote to memory of 580	3280	Client.exe	103
PID 3280 wrote to memory of 580	3280	Client.exe	103
PID 3280 wrote to memory of 524	3280	Client.exe	105
PID 3280 wrote to memory of 524	3280	Client.exe	105
PID 524 wrote to memory of 1308	524	cmd.exe	107
PID 524 wrote to memory of 1308	524	cmd.exe	107
PID 524 wrote to memory of 736	524	cmd.exe	108
PID 524 wrote to memory of 736	524	cmd.exe	108
PID 524 wrote to memory of 1716	524	cmd.exe	109
PID 524 wrote to memory of 1716	524	cmd.exe	109
PID 1716 wrote to memory of 2176	1716	Client.exe	110
PID 1716 wrote to memory of 2176	1716	Client.exe	110
PID 1716 wrote to memory of 3608	1716	Client.exe	112
PID 1716 wrote to memory of 3608	1716	Client.exe	112
PID 3608 wrote to memory of 4836	3608	cmd.exe	114
PID 3608 wrote to memory of 4836	3608	cmd.exe	114
PID 3608 wrote to memory of 116	3608	cmd.exe	115
PID 3608 wrote to memory of 116	3608	cmd.exe	115
PID 3608 wrote to memory of 3208	3608	cmd.exe	117
PID 3608 wrote to memory of 3208	3608	cmd.exe	117
PID 3208 wrote to memory of 4676	3208	Client.exe	118
PID 3208 wrote to memory of 4676	3208	Client.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2404

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3192
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q20qrBWQjORk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3548
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1864
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9xQat6F2Panq.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1308
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:736
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gXTUau0na5yD.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9xQat6F2Panq.bat

Filesize
207B

MD5
1fd0b78c28e4f1317ccd02586fd0729d

SHA1
9396be28d03f0cbb13ce3b0ed1f72c7da6904c73

SHA256
a3ae0114f19dcd6cc7e53c72bd26af5c76e421ed01ee119c66f1492567c9209c

SHA512
b778ea826ccfbf9d7d48faf817f89fc9ddd55bf834bcbcc5152284b9afa2fcd0b7ea4ed0b7684beade7a91e4ac9f98f97f40b33f89be84440bb548206e5431db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gXTUau0na5yD.bat

Filesize
207B

MD5
ce28219f3692c9472b4fb441f2cd8dfc

SHA1
bea6dc848fc63b5809d73cec39a24d033dfe6cd9

SHA256
fb743cba17dbbdd77d938b23aa539efdef1d0bec85d4691b9c13d00e7609e123

SHA512
aeded2982e637616cdd42b332b70aba7b68328546ab68a94a2c284578a0b0c464096df84b59f058c1922cead61e90e83f7426733fa11a51c0575840f431a3af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\q20qrBWQjORk.bat

Filesize
207B

MD5
c3d50a7d410246cc64b956552c57778d

SHA1
9c1b1eefaf93819dc24555cc76d58f5c617d5e58

SHA256
3dc0ff38ce9b47fad65216a3ceb4fd713c2227c5b45cdee073b96305182d894c

SHA512
0d1525cb320c715dd2c44c5cc2c8816f3b773b09ce36bca39712951535e9d6bc725a49f9063fa29231985f644b7c57a959cdea9ea91d1d79d6f8db6c588ab3b7

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
memory/1732-10-0x000000001B1C0000-0x000000001B210000-memory.dmp

Filesize
320KB

Download
memory/1732-11-0x000000001C370000-0x000000001C422000-memory.dmp

Filesize
712KB

Download
memory/3736-4-0x00007FFA33653000-0x00007FFA33655000-memory.dmp

Filesize
8KB

Download
memory/3736-5-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/3736-6-0x00007FFA33650000-0x00007FFA34112000-memory.dmp

Filesize
10.8MB

Download
memory/3736-9-0x00007FFA33650000-0x00007FFA34112000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads