Overview

overview

10

Static

static

10

Quasar.v1.4.1.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    190s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar.v1.4.1.zip

  • Size

    3.3MB

  • MD5

    13aa4bf4f5ed1ac503c69470b1ede5c1

  • SHA1

    c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

  • SHA256

    4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

  • SHA512

    767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

  • SSDEEP

    49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score
10/10
quasartestspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Extracted

Family

quasar

Version

1.4.1

Botnet

test

C2

10.127.0.107:4782

Mutex

2dcb6fc0-8185-4f23-976e-7aef72c5eac8

Attributes
  • encryption_key

    C8FE3F0F96017E1192DE042ED6018751E0CEE9AC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3308
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2404
    • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
      "C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"
        2⤵
          PID:3984
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3488
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          2⤵
          • Gathers network information
          PID:1084
      • C:\Users\Admin\Desktop\Client-built.exe
        "C:\Users\Admin\Desktop\Client-built.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:400
        • C:\Windows\system32\SubDir\Client.exe
          "C:\Windows\system32\SubDir\Client.exe"
          2⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4384

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\16a14ab836194c36a37b0ef512ad1cbd_cca0d105-8260-4611-8c12-bd85a7208b9f
        Filesize

        3KB

        MD5

        ecbb556c0f21388f3c8f6cdb8850da85

        SHA1

        05f70be8b4f9f9b1df94a4f4d454617c274b41a2

        SHA256

        0637e45879f23ecd32fb79808ea221d22cc73a899b42a70de5c95320abd5d729

        SHA512

        5cc14cfec6a3da40fe37e09ba2df6b8ffa91c992e0f7d996c8d3f4ded21cae24b7f63be34e199a34fe8449f982147d192282a5f1e52f4563312296624af204be

        Download Submit

      • C:\Users\Admin\Desktop\Client-built.exe
        Filesize

        3.1MB

        MD5

        8392e1d9fc0aaae924dc5a5734066ca4

        SHA1

        909a01c97d3206097635667327522fecd117d425

        SHA256

        d2da2ff809ae5f340eee8cd9c42027c2b7c95067c5b0556b986ea8e29363213a

        SHA512

        e462b0d0599b68c5b1f54cc8c8fc16aaf7dd12cd22af4cca10454d9d3efaa48c828703931613419acbbaf42e9f66c2a5ffb8ae1976ce6ce5fb52d81d7b78398d

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\BouncyCastle.Crypto.dll
        Filesize

        3.2MB

        MD5

        0cf454b6ed4d9e46bc40306421e4b800

        SHA1

        9611aa929d35cbd86b87e40b628f60d5177d2411

        SHA256

        e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

        SHA512

        85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Gma.System.MouseKeyHook.dll
        Filesize

        56KB

        MD5

        bfb3bd1cb571360435100bfa6ed2b997

        SHA1

        1325e8dd76180a165117e04da4ee4a020e996880

        SHA256

        a67a424013544c8270c12633e2e1e287cd5cf0b3f2e81e8d8204b37a03da59ef

        SHA512

        ae5a88a9e86b9e64b8c289213f814586dfa5fe5e0cc21bdbc3e48c36d81fa9e763c6e78f24e40df07696228270ad72f408846125e61e33cae867ef8ff88a3c15

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.dll
        Filesize

        350KB

        MD5

        de69bb29d6a9dfb615a90df3580d63b1

        SHA1

        74446b4dcc146ce61e5216bf7efac186adf7849b

        SHA256

        f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

        SHA512

        6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Open.Nat.dll
        Filesize

        68KB

        MD5

        cc6f6503d29a99f37b73bfd881de8ae0

        SHA1

        92d3334898dbb718408f1f134fe2914ef666ce46

        SHA256

        0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5

        SHA512

        7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml
        Filesize

        238B

        MD5

        308b89cd90bf4c581ece867ffd2f42b4

        SHA1

        284949496518808e73a37e2e53d39d6770b41e9e

        SHA256

        6d804b565a56dc9da14494a1a831ff3c136598b4dbf8b5f16b9fd16b71656a6d

        SHA512

        3cd20f76463b24e77a50d7c71287f9bfb2aae56df8a3eb3e58e3e694504b3fab0b4323c60bcbfbf038c3f34ed967a7deeee2069ff3344b41db39445a16ba8727

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml
        Filesize

        1017B

        MD5

        aa8158bca01a2e115c124c6443b06cd6

        SHA1

        9aa71dcc1d7f5c2fe6757989791d04dee0b36d6b

        SHA256

        55bdc17b2788a1aef38268e8d1bd92048ad89278b9793f13e11cb7b7133fd804

        SHA512

        8bc56b379daf7446f3d0c44617985f1317c6ce5899b80982854f2c743e7d0cc5c6813271dad1cf3fcbaa6d996e70d2b1953f5d331be6f933112986bdffe8e046

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.Common.dll
        Filesize

        62KB

        MD5

        2185564051ea2e046d9f711ed3cd93ff

        SHA1

        2f2d7fd470da6d126582ad80df2802aabd6c9cea

        SHA256

        de930a748e4dc08c851ba0a22afce8dcfd0f15f23b291f9306c8ef6ccd7460a2

        SHA512

        00af241c1f89b478e66d758db26ed0a413b690d695abf91211b5cbc3985133632327ea0fc41140bd61d02271b6aa278a8e8f539d8ca6ce94972aef50c1a9c868

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
        Filesize

        1.2MB

        MD5

        12ebf922aa80d13f8887e4c8c5e7be83

        SHA1

        7f87a80513e13efd45175e8f2511c2cd17ff51e8

        SHA256

        43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

        SHA512

        fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe.config
        Filesize

        176B

        MD5

        c8cd50e8472b71736e6543f5176a0c12

        SHA1

        0bd6549820de5a07ac034777b3de60021121405e

        SHA256

        b44739eeff82db2b575a45b668893e2fe8fdd24a709cbf0554732fd3520b2190

        SHA512

        6e8f77fcca5968788cc9f73c9543ce9ab7b416372bc681093aa8a3aad43af1f06c56fcbc296c7897a3654b86a6f9d0e8b0fe036677cf290957924377bc177d9f

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\Vestris.ResourceLib.dll
        Filesize

        76KB

        MD5

        944ce5123c94c66a50376e7b37e3a6a6

        SHA1

        a1936ac79c987a5ba47ca3d023f740401f73529b

        SHA256

        7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a

        SHA512

        4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\client.bin
        Filesize

        3.1MB

        MD5

        f4d16cfe4cad388255e43f258329f805

        SHA1

        fe7cc6c9eb76b5ad97867b46d053fae601fd4a2d

        SHA256

        8fb6ae3496d4ac025eab443d3e322b0faa3461d25b54093c9205d35746e3250e

        SHA512

        867045eac0f7765e6bea51e62bc4ed68b1e81ce6c2843d2e08714eb391a8ac94c2571c09828286252248400ea5c12bffa50a25c8ec5ad9e6d0bb836320ec188f

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\protobuf-net.dll
        Filesize

        282KB

        MD5

        abc82ae4f579a0bbfa2a93db1486eb38

        SHA1

        faa645b92e3de7037c23e99dd2101ef3da5756e5

        SHA256

        ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6

        SHA512

        e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3

        Download Submit

      • C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12
        Filesize

        4KB

        MD5

        8fea9e12b4a0345cdecf636a5f05da1f

        SHA1

        f54bfe66df6b94976346e42d3027d220ea9423af

        SHA256

        fc7920f38e82f8e3fa07023f5442d1a77fded0c8bb45e2e81b9724827f72494b

        SHA512

        20a21ebf960fab449700d286238f10dfff176eeaef334ed729c49f3dcecfeb15077791a447c4b5f83d9d9c3dcd42bd85bca0e0f0767fadd68aa688c201f303b8

        Download Submit

      • memory/844-53-0x000001AF7F470000-0x000001AF7F79E000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/844-51-0x00007FF80ED30000-0x00007FF80F7F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/844-82-0x00007FF80ED30000-0x00007FF80F7F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/844-80-0x000001AF7F150000-0x000001AF7F19C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/844-78-0x000001AF7F210000-0x000001AF7F2C2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/844-88-0x000001AF7E630000-0x000001AF7E64A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/844-77-0x000001AF7E8B0000-0x000001AF7E900000-memory.dmp

        Filesize

        320KB

        Download

      • memory/844-86-0x000001AF7F2D0000-0x000001AF7F32E000-memory.dmp

        Filesize

        376KB

        Download

      • memory/844-76-0x000001AF7E610000-0x000001AF7E628000-memory.dmp

        Filesize

        96KB

        Download

      • memory/844-81-0x00007FF80ED33000-0x00007FF80ED35000-memory.dmp

        Filesize

        8KB

        Download

      • memory/844-50-0x000001AF639D0000-0x000001AF639E6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/844-48-0x000001AF61BD0000-0x000001AF61D08000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/844-223-0x000001AF7E650000-0x000001AF7E662000-memory.dmp

        Filesize

        72KB

        Download

      • memory/844-47-0x00007FF80ED33000-0x00007FF80ED35000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1872-219-0x000000001C540000-0x000000001C57C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1872-218-0x000000001C480000-0x000000001C492000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5012-211-0x0000000000B40000-0x0000000000E64000-memory.dmp

        Filesize

        3.1MB

        Download