quasar | e4a7526ba0307eafbdf3d9ce7c5fb335fb76989a480f05de0f928d47808d5595

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

5c90e91232e7e16804a5e2512f56ef0f
SHA1

0f5533f772a53f8a96710a1812d05c5db276d999
SHA256

e4a7526ba0307eafbdf3d9ce7c5fb335fb76989a480f05de0f928d47808d5595
SHA512

a96fe2661c18d59a6f84bfeae75eeae0db847b559808cd1f2a2485d3c651cea547a18af1435a5c3f855f31cec7b114ced112ad27b0f7f99abc751a090ff1ebc0
SSDEEP

49152:Svkt62XlaSFNWPjljiFa2RoUYIk7waT5p+Vk/3LoGdjTHHB72eh2NT:Sv462XlaSFNWPjljiFXRoUYIzaD

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0012000000016d3f-7.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2880	Client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
2952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	Client-built.exe
Token: SeDebugPrivilege	2880	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2832	2820	Client-built.exe	30
PID 2820 wrote to memory of 2832	2820	Client-built.exe	30
PID 2820 wrote to memory of 2832	2820	Client-built.exe	30
PID 2820 wrote to memory of 2880	2820	Client-built.exe	32
PID 2820 wrote to memory of 2880	2820	Client-built.exe	32
PID 2820 wrote to memory of 2880	2820	Client-built.exe	32
PID 2880 wrote to memory of 2952	2880	Client.exe	33
PID 2880 wrote to memory of 2952	2880	Client.exe	33
PID 2880 wrote to memory of 2952	2880	Client.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2832
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
1.6MB

MD5
adae08224d013f8f5e10bfd443dc6555

SHA1
8745c7727145a75544ab18528a25ee8b644d5cb2

SHA256
32232d5c465508fae7359021deb84aeb3662dc030935551f9550a3872a787dc8

SHA512
3aa4aad0635594942129cd3a8f73e1e6dea7f2cd41f5beabbc3e493be52220aea7769896b5256d83cad7502dd099dd3f74f87b5a52751db3b532fe04ee42006a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
2.2MB

MD5
8a8dc7154230cf392d258153525d55ba

SHA1
7fa9db130750fdb5fde1251b10bac569c9ca021f

SHA256
707d845b9d2cbece85e7e9813b4fe7df03e9eed201a91d8a23b461fd936578c4

SHA512
e1e8c2c2550ee5ba09bf57fc389f0bac56da73c731b8aa907a42b53221b61b7364d3b766a22849dd687a8af064cb8ed77cf7ce6a00975c54573c713c11e67fe7

Download Submit
memory/2820-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/2820-1-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download
memory/2820-2-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-9-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-8-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/2880-10-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-11-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-12-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads