quasar | c63218f9ea9fcd899216ecf7f802c4c7c94c633d8c404ecf9be30adbdee00e5f

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zamówienie - 021224 - 901003637.exe
Size

3.7MB
MD5

15f259b30ec72a5217144834f7f5b564
SHA1

baed3fe7d059a497f856e263431ccd3872ef1ea1
SHA256

01de053d9560d419f0b6c35dbddb1175eb1fd7a21450989332024b812d39c4c2
SHA512

5e1148a9cf8008b7c38d067ec34e5c3bc7255341d114476532f8111ea2c3e654eb70b0a439aaaea22543576f09b9cec269f9b3414a6a24fc54b89c7c677c5f47
SSDEEP

98304:ZrAsTIZbqqBQjwske/pCT66UNYekeWY0CE9:ZcCSL0ke/pO5ekeWtCE9

Score

10^/10

quasar david discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

DAVID

hoffmann3.ydns.eu:5829

Mutex

532aca2b-96ff-44aa-9213-031e975919ac

Attributes

encryption_key
C5B555A83D127A9553D4FB1FCECB35CE8E91A447
install_name
outlooks.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Outlooks
subdirectory
WindowsUpdates

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2920-23-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2920-31-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2920-28-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2920-26-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2920-29-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2224	powershell.exe
2512	powershell.exe
3028	powershell.exe
2880	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

outlooks.exeoutlooks.exe

pid	Process
1676	outlooks.exe
632	outlooks.exe

Loads dropped DLL 1 IoCs

Processes:

Zamówienie - 021224 - 901003637.exe

pid	Process
2920	Zamówienie - 021224 - 901003637.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Zamówienie - 021224 - 901003637.exeoutlooks.exe

description	pid	Process	procid_target
PID 1620 set thread context of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1676 set thread context of 632	1676	outlooks.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeschtasks.exeZamówienie - 021224 - 901003637.exeoutlooks.exeschtasks.exepowershell.exeschtasks.exeZamówienie - 021224 - 901003637.exepowershell.exeschtasks.exepowershell.exeoutlooks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zamówienie - 021224 - 901003637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outlooks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zamówienie - 021224 - 901003637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outlooks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2384	schtasks.exe
848	schtasks.exe
2148	schtasks.exe
1848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2512	powershell.exe
2224	powershell.exe
3028	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exeZamówienie - 021224 - 901003637.exepowershell.exepowershell.exeoutlooks.exe

description	pid	Process
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2920	Zamówienie - 021224 - 901003637.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	632	outlooks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

outlooks.exe

pid	Process
632	outlooks.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

Zamówienie - 021224 - 901003637.exeZamówienie - 021224 - 901003637.exeoutlooks.exeoutlooks.exe

description	pid	Process	procid_target
PID 1620 wrote to memory of 2224	1620	Zamówienie - 021224 - 901003637.exe	30
PID 1620 wrote to memory of 2224	1620	Zamówienie - 021224 - 901003637.exe	30
PID 1620 wrote to memory of 2224	1620	Zamówienie - 021224 - 901003637.exe	30
PID 1620 wrote to memory of 2224	1620	Zamówienie - 021224 - 901003637.exe	30
PID 1620 wrote to memory of 2512	1620	Zamówienie - 021224 - 901003637.exe	32
PID 1620 wrote to memory of 2512	1620	Zamówienie - 021224 - 901003637.exe	32
PID 1620 wrote to memory of 2512	1620	Zamówienie - 021224 - 901003637.exe	32
PID 1620 wrote to memory of 2512	1620	Zamówienie - 021224 - 901003637.exe	32
PID 1620 wrote to memory of 2148	1620	Zamówienie - 021224 - 901003637.exe	33
PID 1620 wrote to memory of 2148	1620	Zamówienie - 021224 - 901003637.exe	33
PID 1620 wrote to memory of 2148	1620	Zamówienie - 021224 - 901003637.exe	33
PID 1620 wrote to memory of 2148	1620	Zamówienie - 021224 - 901003637.exe	33
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 1620 wrote to memory of 2920	1620	Zamówienie - 021224 - 901003637.exe	36
PID 2920 wrote to memory of 1848	2920	Zamówienie - 021224 - 901003637.exe	38
PID 2920 wrote to memory of 1848	2920	Zamówienie - 021224 - 901003637.exe	38
PID 2920 wrote to memory of 1848	2920	Zamówienie - 021224 - 901003637.exe	38
PID 2920 wrote to memory of 1848	2920	Zamówienie - 021224 - 901003637.exe	38
PID 2920 wrote to memory of 1676	2920	Zamówienie - 021224 - 901003637.exe	40
PID 2920 wrote to memory of 1676	2920	Zamówienie - 021224 - 901003637.exe	40
PID 2920 wrote to memory of 1676	2920	Zamówienie - 021224 - 901003637.exe	40
PID 2920 wrote to memory of 1676	2920	Zamówienie - 021224 - 901003637.exe	40
PID 1676 wrote to memory of 3028	1676	outlooks.exe	41
PID 1676 wrote to memory of 3028	1676	outlooks.exe	41
PID 1676 wrote to memory of 3028	1676	outlooks.exe	41
PID 1676 wrote to memory of 3028	1676	outlooks.exe	41
PID 1676 wrote to memory of 2880	1676	outlooks.exe	43
PID 1676 wrote to memory of 2880	1676	outlooks.exe	43
PID 1676 wrote to memory of 2880	1676	outlooks.exe	43
PID 1676 wrote to memory of 2880	1676	outlooks.exe	43
PID 1676 wrote to memory of 2384	1676	outlooks.exe	45
PID 1676 wrote to memory of 2384	1676	outlooks.exe	45
PID 1676 wrote to memory of 2384	1676	outlooks.exe	45
PID 1676 wrote to memory of 2384	1676	outlooks.exe	45
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 1676 wrote to memory of 632	1676	outlooks.exe	47
PID 632 wrote to memory of 848	632	outlooks.exe	48
PID 632 wrote to memory of 848	632	outlooks.exe	48
PID 632 wrote to memory of 848	632	outlooks.exe	48
PID 632 wrote to memory of 848	632	outlooks.exe	48

C:\Users\Admin\AppData\Local\Temp\Zamówienie - 021224 - 901003637.exe
"C:\Users\Admin\AppData\Local\Temp\Zamówienie - 021224 - 901003637.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Zamówienie - 021224 - 901003637.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eNuXmIwkixzW.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC41A.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\Zamówienie - 021224 - 901003637.exe
  "C:\Users\Admin\AppData\Local\Temp\Zamówienie - 021224 - 901003637.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1848
- - C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe
    "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eNuXmIwkixzW.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNuXmIwkixzW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2384
  - - C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe
      "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC41A.tmp

Filesize
1KB

MD5
89a0ae39e45c5cf5f1f5bff1f44cfd43

SHA1
47fa136de42a0c425d65c6dcd96402f07f7e4e38

SHA256
968d6b5d3a38e6af7b91d40070ab1140cf226ef94be38ff8b2446ef58a30bd90

SHA512
099031928772c7e5898ccf8b6460a5f542443bedabdb514631c391abe92e76e780a2721bdea7d24610bae8812366f8e7b554fea1559b5c7d15e804d16c13858e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YRULE5KAVWZ3KZT5ZQOY.temp

Filesize
7KB

MD5
7ff1dba59de17faba0de95ca9ee90333

SHA1
55e6368226b057c6d4d4fabf57a3e1d0c9f9bf70

SHA256
c2d0fd6f955b8f4f381dc38874d680169015299d06df8905c6d4224953425b95

SHA512
afc2addf3e270bc51850df99ce53449ed14d92aaa36d0e487e7fc50b3087735cd16cc2361accfa5ddb97d37f30b48e2a8e2177403afb50be236c794a23921560

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9aa4e955025d56607b46cfd69bb30cc5

SHA1
211842e0ac89ff905a6057fe30a387b1be405b5e

SHA256
39a715cdc2813023d605818d06fb070038b970c4832ab6133df649c3eef49d3f

SHA512
40bdb15d7822dff93b98740ddcfc83eba0b97be9bb5b5dbf07fad130aebef7053b78391cc3cf7881c7ca1ac26b8e317224d4c346f07571e9f6ea935330e7d128

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdates\outlooks.exe

Filesize
3.7MB

MD5
15f259b30ec72a5217144834f7f5b564

SHA1
baed3fe7d059a497f856e263431ccd3872ef1ea1

SHA256
01de053d9560d419f0b6c35dbddb1175eb1fd7a21450989332024b812d39c4c2

SHA512
5e1148a9cf8008b7c38d067ec34e5c3bc7255341d114476532f8111ea2c3e654eb70b0a439aaaea22543576f09b9cec269f9b3414a6a24fc54b89c7c677c5f47

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/632-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1620-3-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/1620-6-0x0000000007BF0000-0x0000000007F58000-memory.dmp

Filesize
3.4MB

Download
memory/1620-5-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-4-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/1620-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/1620-2-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-32-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-1-0x0000000000A90000-0x0000000000E3C000-memory.dmp

Filesize
3.7MB

Download
memory/1676-40-0x0000000000C80000-0x000000000102C000-memory.dmp

Filesize
3.7MB

Download
memory/2920-23-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2920-21-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2920-29-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2920-26-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2920-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-28-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2920-31-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2920-20-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download