Overview

overview

10

Static

static

1

QuasarHVNC.7z

windows11-21h2-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QuasarHVNC.7z

  • Size

    13.5MB

  • MD5

    54a7c7a1dbdee38f66b9505d7a2f9aa1

  • SHA1

    ef7103d2b79fea4537f519d476343fd4cefb3161

  • SHA256

    e4dffd9c261b227bf45245c8198d9cb0f2542fb3ee7a42a6ce649b8929fb184b

  • SHA512

    f8595b164f34445f8417a7db9bb6e537fcf5107bb82216dce46d80ae5d77087d41eabfa815d3690933a4dd73f60d8322b4ae2f770190f0e71374fc4093c633a1

  • SSDEEP

    393216:kFaHSX+mAhSFDD34oWhSnWV/LdUp/jawfJ:KaE50oj4z4OLdq/jawfJ

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 51 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\QuasarHVNC.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2736
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1288
    • C:\Users\Admin\Desktop\QuasarHVNC\Quasar.exe
      "C:\Users\Admin\Desktop\QuasarHVNC\Quasar.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\QuasarHVNC\quasar.p12"
        2⤵
          PID:1444
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\QuasarHVNC\BouncyCastle.Crypto.dll
        Filesize

        3.2MB

        MD5

        0cf454b6ed4d9e46bc40306421e4b800

        SHA1

        9611aa929d35cbd86b87e40b628f60d5177d2411

        SHA256

        e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

        SHA512

        85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

        Download Submit

      • C:\Users\Admin\Desktop\QuasarHVNC\MaterialSkin.dll
        Filesize

        6.4MB

        MD5

        022f385e55d9d3d42a33b4ca999bf22a

        SHA1

        5d2f22d51d2e87ae8d1f2c1acd3f08f4fdddf107

        SHA256

        3b0e1b3af6d2b8b3d02b6cd52849277c9c8066c2ae565e68253d4551c37492d3

        SHA512

        7fd663b56a2894d1db2ee1032067091f72a4ac301ee8cd392030c6ab186e3bb960d8e35a8591204fc23e9b5a145a2a9ab0092b1c9e6ae5c9c2dc2adf907a891c

        Download Submit

      • C:\Users\Admin\Desktop\QuasarHVNC\Open.Nat.dll
        Filesize

        68KB

        MD5

        cc6f6503d29a99f37b73bfd881de8ae0

        SHA1

        92d3334898dbb718408f1f134fe2914ef666ce46

        SHA256

        0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5

        SHA512

        7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f

        Download Submit

      • C:\Users\Admin\Desktop\QuasarHVNC\Quasar.Common.dll
        Filesize

        69KB

        MD5

        4b39632f200f7cc1117b10889892ed81

        SHA1

        06a82e9b3c209b7f7f10184ac3021fa173b2a4cc

        SHA256

        0a352f27584366da35664b01c603401365f0ddad75b9dd7b783eeb34727fe14e

        SHA512

        5b47fb210bf4d22eecf92a7ef5266471c1a676e47b6a4a994fd9ac930060e9ff4a42d2f2bb4abc398d3d9800bc6d819619459915d48f8181e6c2f106ae714f04

        Download Submit

      • C:\Users\Admin\Desktop\QuasarHVNC\Quasar.exe
        Filesize

        1.1MB

        MD5

        dd8295429fd3c14933eed76bae6f2aee

        SHA1

        09f284e0745ed71956463656ea8cf538823f954e

        SHA256

        dafaeb6423c18fe38a3af1fbaf45c5bfad83713e226856f89572561e8425328e

        SHA512

        1abe16b14bd733103878c69bd975fc44bb9d0f95f4b0b24329c74a4c7054c2ddd543698fa93a9e36362697830a5178e1484a3bfca2bc2d06ad7d6ea655877e50

        Download Submit

      • C:\Users\Admin\Desktop\QuasarHVNC\Quasar.exe.config
        Filesize

        176B

        MD5

        c8cd50e8472b71736e6543f5176a0c12

        SHA1

        0bd6549820de5a07ac034777b3de60021121405e

        SHA256

        b44739eeff82db2b575a45b668893e2fe8fdd24a709cbf0554732fd3520b2190

        SHA512

        6e8f77fcca5968788cc9f73c9543ce9ab7b416372bc681093aa8a3aad43af1f06c56fcbc296c7897a3654b86a6f9d0e8b0fe036677cf290957924377bc177d9f

        Download Submit

      • C:\Users\Admin\Desktop\QuasarHVNC\protobuf-net.dll
        Filesize

        282KB

        MD5

        abc82ae4f579a0bbfa2a93db1486eb38

        SHA1

        faa645b92e3de7037c23e99dd2101ef3da5756e5

        SHA256

        ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6

        SHA512

        e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3

        Download Submit

      • C:\Users\Admin\Desktop\QuasarHVNC\quasar.p12
        Filesize

        4KB

        MD5

        8025d0822108ebba866c4408d72569f3

        SHA1

        f68a99cd8a803fc025098c3d557518f083e9d4a6

        SHA256

        1848482176330aacce4e6ca8c826a1769851c279349d59eef57aca0e1870b32f

        SHA512

        582b30d1d8fd104c34c3db750638454db47a6bc9343922e11dacad243c9e0f17e65ceb38bb1599deb47bb44ad24e114d1a945b44938b70ce28b2df5a79bedf58

        Download Submit

      • memory/460-144-0x000002012D010000-0x000002012D684000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/460-142-0x0000020112310000-0x000002011242E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/460-149-0x00000201308B0000-0x0000020130BDE000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/460-153-0x00007FFE79593000-0x00007FFE79595000-memory.dmp

        Filesize

        8KB

        Download

      • memory/460-154-0x00007FFE79590000-0x00007FFE7A052000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/460-146-0x00000201128A0000-0x00000201128B8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/460-172-0x000002012E7A0000-0x000002012E7B8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/460-147-0x00007FFE79590000-0x00007FFE7A052000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/460-173-0x000002012EA20000-0x000002012EA70000-memory.dmp

        Filesize

        320KB

        Download

      • memory/460-174-0x0000020132950000-0x0000020132E1C000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/460-175-0x00000201301A0000-0x0000020130252000-memory.dmp

        Filesize

        712KB

        Download

      • memory/460-177-0x000002012EA70000-0x000002012EABC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/460-141-0x00007FFE79593000-0x00007FFE79595000-memory.dmp

        Filesize

        8KB

        Download

      • memory/460-183-0x00007FFE79590000-0x00007FFE7A052000-memory.dmp

        Filesize

        10.8MB

        Download