quasar | 4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe
Size

502KB
MD5

4a1a83a32839b83f5b740f3880b02f96
SHA1

889eade4f72e5a7f59b271c834966c63fae88eea
SHA256

4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9
SHA512

8545d981ce9f07a639abc9f8ea87d13d8a2547fc1f674cf5f85894465bc78c9ad2a6fd521f0d8c876006a89719ed4a4648c99985c3b54b7ee420c773f927fdea
SSDEEP

6144:pTEgdc0YtX7IxUpGREW+ngEymrd8Mi5Etqd+yw4UUcEKOb8F9sbB0Uac0cTR3K:pTEgdfY2xUbgEyCT4wywKapz00cdK

Score

10^/10

quasar office64 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office64

87.121.52.241:4000

Mutex

398f3d5d-fcb0-4abf-8107-9e4548750c76

Attributes

encryption_key
1868814443133CA4A17ED63DA213FAB2B29A7853
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Cryptic0 Client
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4776-1-0x0000000000670000-0x00000000006F4000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c60-5.dat	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
1968	Client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
3872	schtasks.exe
2376	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	4776	4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe
Token: SeDebugPrivilege	1968	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exeClient.exe

description	pid	Process	procid_target
PID 4776 wrote to memory of 3872	4776	4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe	83
PID 4776 wrote to memory of 3872	4776	4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe	83
PID 4776 wrote to memory of 1968	4776	4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe	85
PID 4776 wrote to memory of 1968	4776	4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe	85
PID 1968 wrote to memory of 2376	1968	Client.exe	86
PID 1968 wrote to memory of 2376	1968	Client.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe
"C:\Users\Admin\AppData\Local\Temp\4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Cryptic0 Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3872
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Cryptic0 Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
502KB

MD5
4a1a83a32839b83f5b740f3880b02f96

SHA1
889eade4f72e5a7f59b271c834966c63fae88eea

SHA256
4bfb85af6e2eef6cd57d28ab22cc963ab27af48c4b8e55553f2cd11ef735bdc9

SHA512
8545d981ce9f07a639abc9f8ea87d13d8a2547fc1f674cf5f85894465bc78c9ad2a6fd521f0d8c876006a89719ed4a4648c99985c3b54b7ee420c773f927fdea

Download Submit
memory/1968-8-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/1968-10-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/1968-11-0x000000001AFC0000-0x000000001B010000-memory.dmp

Filesize
320KB

Download
memory/1968-12-0x000000001B600000-0x000000001B6B2000-memory.dmp

Filesize
712KB

Download
memory/1968-13-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/4776-0-0x00007FFD146C3000-0x00007FFD146C5000-memory.dmp

Filesize
8KB

Download
memory/4776-1-0x0000000000670000-0x00000000006F4000-memory.dmp

Filesize
528KB

Download
memory/4776-2-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/4776-9-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download