quasar | 358d36db4fe4df0ae13317555061a4dc3033254f81f53fe78eb59ed84d3483dd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eggpy.exe
Size

3.3MB
MD5

311933ce408d4d388840c403a42324a8
SHA1

d8087493d05a664639ec0855bb636789be0bae53
SHA256

358d36db4fe4df0ae13317555061a4dc3033254f81f53fe78eb59ed84d3483dd
SHA512

965957a8e15ebd5ced85e827c9888ae69e2be563c0488b64d7c59eccf686330171a475beeae36140c271b06072c5675fe90ff9ef011cba396edd25df3928656b
SSDEEP

49152:ovKgo2QSaNpzyPllgamb0CZof/JaG83ear1LoGdHh7THHB72eh2NT/:ovjo2QSaNpzyPllgamYCZof/JE3VXw

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

AWZ3153-54894.portmap.host:54894

AWZ3153-54894.portmap.host:4782

Mutex

504548b2-3cf4-4efe-90ce-156d3776854c

Attributes

encryption_key
5F9B0D3C7007E834C112F6078ABD8C2684830A3F
install_name
cmdline.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
cmd

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1792-1-0x00000000005E0000-0x0000000000934000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c4f-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3692	cmdline.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
1868	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	Eggpy.exe
Token: SeDebugPrivilege	3692	cmdline.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3692	cmdline.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2476	1792	Eggpy.exe	84
PID 1792 wrote to memory of 2476	1792	Eggpy.exe	84
PID 1792 wrote to memory of 3692	1792	Eggpy.exe	86
PID 1792 wrote to memory of 3692	1792	Eggpy.exe	86
PID 3692 wrote to memory of 1868	3692	cmdline.exe	87
PID 3692 wrote to memory of 1868	3692	cmdline.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Eggpy.exe
"C:\Users\Admin\AppData\Local\Temp\Eggpy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2476
- C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe
  "C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe

Filesize
3.3MB

MD5
311933ce408d4d388840c403a42324a8

SHA1
d8087493d05a664639ec0855bb636789be0bae53

SHA256
358d36db4fe4df0ae13317555061a4dc3033254f81f53fe78eb59ed84d3483dd

SHA512
965957a8e15ebd5ced85e827c9888ae69e2be563c0488b64d7c59eccf686330171a475beeae36140c271b06072c5675fe90ff9ef011cba396edd25df3928656b

Download Submit
memory/1792-0-0x00007FF9A1C03000-0x00007FF9A1C05000-memory.dmp

Filesize
8KB

Download
memory/1792-1-0x00000000005E0000-0x0000000000934000-memory.dmp

Filesize
3.3MB

Download
memory/1792-2-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/1792-10-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-9-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-11-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-12-0x0000000002A50000-0x0000000002AA0000-memory.dmp

Filesize
320KB

Download
memory/3692-13-0x000000001BB60000-0x000000001BC12000-memory.dmp

Filesize
712KB

Download
memory/3692-16-0x000000001B2D0000-0x000000001B2E2000-memory.dmp

Filesize
72KB

Download
memory/3692-17-0x000000001C260000-0x000000001C29C000-memory.dmp

Filesize
240KB

Download
memory/3692-18-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads