Overview

overview

10

Static

static

10

Quasar.v1.4.1.zip

windows11-21h2-x64

10

Resubmissions

09/11/2024, 14:57

241109-sbr6lawgmc 10

09/11/2024, 14:55

241109-sasezawhkj 10

Analysis

  • max time kernel
    85s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/11/2024, 14:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar.v1.4.1.zip

  • Size

    3.3MB

  • MD5

    13aa4bf4f5ed1ac503c69470b1ede5c1

  • SHA1

    c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

  • SHA256

    4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

  • SHA512

    767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

  • SSDEEP

    49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 51 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4020
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1144
    • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
      "C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"
        2⤵
          PID:3452
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:5028

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Desktop\Quasar v1.4.1\BouncyCastle.Crypto.dll
              Filesize

              3.2MB

              MD5

              0cf454b6ed4d9e46bc40306421e4b800

              SHA1

              9611aa929d35cbd86b87e40b628f60d5177d2411

              SHA256

              e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

              SHA512

              85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

              Download Submit

            • C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.Pdb.dll
              Filesize

              87KB

              MD5

              6d5eb860c2be5dbeb470e7d3f3e7dda4

              SHA1

              80c76660b87c52127b1a7da48e27700f75362041

              SHA256

              447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4

              SHA512

              64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5

              Download Submit

            • C:\Users\Admin\Desktop\Quasar v1.4.1\Open.Nat.dll
              Filesize

              68KB

              MD5

              cc6f6503d29a99f37b73bfd881de8ae0

              SHA1

              92d3334898dbb718408f1f134fe2914ef666ce46

              SHA256

              0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5

              SHA512

              7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f

              Download Submit

            • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.Common.dll
              Filesize

              62KB

              MD5

              2185564051ea2e046d9f711ed3cd93ff

              SHA1

              2f2d7fd470da6d126582ad80df2802aabd6c9cea

              SHA256

              de930a748e4dc08c851ba0a22afce8dcfd0f15f23b291f9306c8ef6ccd7460a2

              SHA512

              00af241c1f89b478e66d758db26ed0a413b690d695abf91211b5cbc3985133632327ea0fc41140bd61d02271b6aa278a8e8f539d8ca6ce94972aef50c1a9c868

              Download Submit

            • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
              Filesize

              1.2MB

              MD5

              12ebf922aa80d13f8887e4c8c5e7be83

              SHA1

              7f87a80513e13efd45175e8f2511c2cd17ff51e8

              SHA256

              43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

              SHA512

              fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

              Download Submit

            • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe.config
              Filesize

              176B

              MD5

              c8cd50e8472b71736e6543f5176a0c12

              SHA1

              0bd6549820de5a07ac034777b3de60021121405e

              SHA256

              b44739eeff82db2b575a45b668893e2fe8fdd24a709cbf0554732fd3520b2190

              SHA512

              6e8f77fcca5968788cc9f73c9543ce9ab7b416372bc681093aa8a3aad43af1f06c56fcbc296c7897a3654b86a6f9d0e8b0fe036677cf290957924377bc177d9f

              Download Submit

            • C:\Users\Admin\Desktop\Quasar v1.4.1\protobuf-net.dll
              Filesize

              282KB

              MD5

              abc82ae4f579a0bbfa2a93db1486eb38

              SHA1

              faa645b92e3de7037c23e99dd2101ef3da5756e5

              SHA256

              ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6

              SHA512

              e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3

              Download Submit

            • C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12
              Filesize

              4KB

              MD5

              0215563b4fa759b018ce9e2b59224458

              SHA1

              95ff73f34969236a2359d40d555959683a80ce9a

              SHA256

              c356ce6814f9f2f9d5de99ac6afb2464ac050158de287e09094fd09bde8cbb5e

              SHA512

              c83d509830cb0e67d8124979f5520525eff51dae6ec958cd72586d4837900cc47240bf5954c43ffbdb02574bb2863084fc0cb04aa4fe61b937c0e7595f58e827

              Download Submit

            • memory/4552-53-0x00000121EEE50000-0x00000121EF17E000-memory.dmp

              Filesize

              3.2MB

              Download

            • memory/4552-51-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4552-50-0x00000121D3C80000-0x00000121D3C96000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4552-74-0x00000121EEA40000-0x00000121EEA58000-memory.dmp

              Filesize

              96KB

              Download

            • memory/4552-75-0x00000121EEAB0000-0x00000121EEB00000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4552-76-0x00000121EEC00000-0x00000121EECB2000-memory.dmp

              Filesize

              712KB

              Download

            • memory/4552-78-0x00000121EEB40000-0x00000121EEB8C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4552-48-0x00000121D1E00000-0x00000121D1F38000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4552-79-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4552-47-0x00007FFDC8C33000-0x00007FFDC8C35000-memory.dmp

              Filesize

              8KB

              Download