Overview

overview

10

Static

static

10

Quasar.v1.4.1.zip

windows11-21h2-x64

10

Resubmissions

09-11-2024 14:57

241109-sbr6lawgmc 10

09-11-2024 14:55

241109-sasezawhkj 10

Analysis

  • max time kernel
    85s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-11-2024 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar.v1.4.1.zip

  • Size

    3.3MB

  • MD5

    13aa4bf4f5ed1ac503c69470b1ede5c1

  • SHA1

    c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

  • SHA256

    4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

  • SHA512

    767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

  • SSDEEP

    49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 51 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4020
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1144
    • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
      "C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"
        2⤵
          PID:3452
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:5028

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\Quasar v1.4.1\BouncyCastle.Crypto.dll
        Filesize

        3.2MB

        MD5

        0cf454b6ed4d9e46bc40306421e4b800

        SHA1

        9611aa929d35cbd86b87e40b628f60d5177d2411

        SHA256

        e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

        SHA512

        85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.Pdb.dll
        Filesize

        87KB

        MD5

        6d5eb860c2be5dbeb470e7d3f3e7dda4

        SHA1

        80c76660b87c52127b1a7da48e27700f75362041

        SHA256

        447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4

        SHA512

        64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Open.Nat.dll
        Filesize

        68KB

        MD5

        cc6f6503d29a99f37b73bfd881de8ae0

        SHA1

        92d3334898dbb718408f1f134fe2914ef666ce46

        SHA256

        0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5

        SHA512

        7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.Common.dll
        Filesize

        62KB

        MD5

        2185564051ea2e046d9f711ed3cd93ff

        SHA1

        2f2d7fd470da6d126582ad80df2802aabd6c9cea

        SHA256

        de930a748e4dc08c851ba0a22afce8dcfd0f15f23b291f9306c8ef6ccd7460a2

        SHA512

        00af241c1f89b478e66d758db26ed0a413b690d695abf91211b5cbc3985133632327ea0fc41140bd61d02271b6aa278a8e8f539d8ca6ce94972aef50c1a9c868

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
        Filesize

        1.2MB

        MD5

        12ebf922aa80d13f8887e4c8c5e7be83

        SHA1

        7f87a80513e13efd45175e8f2511c2cd17ff51e8

        SHA256

        43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

        SHA512

        fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe.config
        Filesize

        176B

        MD5

        c8cd50e8472b71736e6543f5176a0c12

        SHA1

        0bd6549820de5a07ac034777b3de60021121405e

        SHA256

        b44739eeff82db2b575a45b668893e2fe8fdd24a709cbf0554732fd3520b2190

        SHA512

        6e8f77fcca5968788cc9f73c9543ce9ab7b416372bc681093aa8a3aad43af1f06c56fcbc296c7897a3654b86a6f9d0e8b0fe036677cf290957924377bc177d9f

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\protobuf-net.dll
        Filesize

        282KB

        MD5

        abc82ae4f579a0bbfa2a93db1486eb38

        SHA1

        faa645b92e3de7037c23e99dd2101ef3da5756e5

        SHA256

        ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6

        SHA512

        e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12
        Filesize

        4KB

        MD5

        0215563b4fa759b018ce9e2b59224458

        SHA1

        95ff73f34969236a2359d40d555959683a80ce9a

        SHA256

        c356ce6814f9f2f9d5de99ac6afb2464ac050158de287e09094fd09bde8cbb5e

        SHA512

        c83d509830cb0e67d8124979f5520525eff51dae6ec958cd72586d4837900cc47240bf5954c43ffbdb02574bb2863084fc0cb04aa4fe61b937c0e7595f58e827

        Download Submit

      • memory/4552-53-0x00000121EEE50000-0x00000121EF17E000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/4552-51-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4552-50-0x00000121D3C80000-0x00000121D3C96000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4552-74-0x00000121EEA40000-0x00000121EEA58000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4552-75-0x00000121EEAB0000-0x00000121EEB00000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4552-76-0x00000121EEC00000-0x00000121EECB2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/4552-78-0x00000121EEB40000-0x00000121EEB8C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4552-48-0x00000121D1E00000-0x00000121D1F38000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4552-79-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4552-47-0x00007FFDC8C33000-0x00007FFDC8C35000-memory.dmp

        Filesize

        8KB

        Download