quasar | 9543e50b475f687645e1b8d772a3218df43f4abc4fffb172575a4ea2d6f0bff8

Analysis

max time kernel
143s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

b54a504853b292f37ae8b6548edd63bc
SHA1

216c649b28b0b91f616eccc17fc623303c505cd0
SHA256

9543e50b475f687645e1b8d772a3218df43f4abc4fffb172575a4ea2d6f0bff8
SHA512

f44d2ae81d59f8aeab75b33f2799bcf74d1b82d99a5b6c8d340d120e5ba05612b1d9d30c7f613a36814e1bd492d18f801d45fe720fd134c659d3a0531fd63569
SSDEEP

49152:CvuG42pda6D+/PjlLOlg6yQipVvCN1JwLoGdmTHHB72eh2NT:CvJ42pda6D+/PjlLOlZyQipVvCs

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.11.75.94:4782

U5CD147FKX2:4782

192.168.1.1:4782

10.40.40.50:4782

Mutex

7d41ccf3-c5ae-4aea-802e-7a2d79e742ab

Attributes

encryption_key
D20C6B62C6848A1F494679CD1D5EBA35B7792514
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ja
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2956-1-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/files/0x0033000000016d17-6.dat	family_quasar
behavioral1/memory/3064-9-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
behavioral1/memory/2128-24-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/1228-36-0x0000000000D90000-0x00000000010B4000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
3064	Client.exe
2128	Client.exe
1228	Client.exe
2164	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2252	PING.EXE
2516	PING.EXE
2428	PING.EXE
1672	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2252	PING.EXE
2516	PING.EXE
2428	PING.EXE
1672	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2536	schtasks.exe
2300	schtasks.exe
2836	schtasks.exe
2644	schtasks.exe
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	Client-built.exe
Token: SeDebugPrivilege	3064	Client.exe
Token: SeDebugPrivilege	2128	Client.exe
Token: SeDebugPrivilege	1228	Client.exe
Token: SeDebugPrivilege	2164	Client.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3064	Client.exe
2128	Client.exe
1228	Client.exe
2164	Client.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3064	Client.exe
2128	Client.exe
1228	Client.exe
2164	Client.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3064	Client.exe
2128	Client.exe
1228	Client.exe
2164	Client.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2836	2956	Client-built.exe	30
PID 2956 wrote to memory of 2836	2956	Client-built.exe	30
PID 2956 wrote to memory of 2836	2956	Client-built.exe	30
PID 2956 wrote to memory of 3064	2956	Client-built.exe	32
PID 2956 wrote to memory of 3064	2956	Client-built.exe	32
PID 2956 wrote to memory of 3064	2956	Client-built.exe	32
PID 3064 wrote to memory of 2644	3064	Client.exe	33
PID 3064 wrote to memory of 2644	3064	Client.exe	33
PID 3064 wrote to memory of 2644	3064	Client.exe	33
PID 3064 wrote to memory of 3016	3064	Client.exe	36
PID 3064 wrote to memory of 3016	3064	Client.exe	36
PID 3064 wrote to memory of 3016	3064	Client.exe	36
PID 3016 wrote to memory of 828	3016	cmd.exe	38
PID 3016 wrote to memory of 828	3016	cmd.exe	38
PID 3016 wrote to memory of 828	3016	cmd.exe	38
PID 3016 wrote to memory of 2252	3016	cmd.exe	39
PID 3016 wrote to memory of 2252	3016	cmd.exe	39
PID 3016 wrote to memory of 2252	3016	cmd.exe	39
PID 3016 wrote to memory of 2128	3016	cmd.exe	40
PID 3016 wrote to memory of 2128	3016	cmd.exe	40
PID 3016 wrote to memory of 2128	3016	cmd.exe	40
PID 2128 wrote to memory of 1768	2128	Client.exe	41
PID 2128 wrote to memory of 1768	2128	Client.exe	41
PID 2128 wrote to memory of 1768	2128	Client.exe	41
PID 2128 wrote to memory of 3044	2128	Client.exe	43
PID 2128 wrote to memory of 3044	2128	Client.exe	43
PID 2128 wrote to memory of 3044	2128	Client.exe	43
PID 3044 wrote to memory of 2504	3044	cmd.exe	45
PID 3044 wrote to memory of 2504	3044	cmd.exe	45
PID 3044 wrote to memory of 2504	3044	cmd.exe	45
PID 3044 wrote to memory of 2516	3044	cmd.exe	46
PID 3044 wrote to memory of 2516	3044	cmd.exe	46
PID 3044 wrote to memory of 2516	3044	cmd.exe	46
PID 3044 wrote to memory of 1228	3044	cmd.exe	47
PID 3044 wrote to memory of 1228	3044	cmd.exe	47
PID 3044 wrote to memory of 1228	3044	cmd.exe	47
PID 1228 wrote to memory of 2536	1228	Client.exe	48
PID 1228 wrote to memory of 2536	1228	Client.exe	48
PID 1228 wrote to memory of 2536	1228	Client.exe	48
PID 1228 wrote to memory of 2260	1228	Client.exe	50
PID 1228 wrote to memory of 2260	1228	Client.exe	50
PID 1228 wrote to memory of 2260	1228	Client.exe	50
PID 2260 wrote to memory of 2432	2260	cmd.exe	52
PID 2260 wrote to memory of 2432	2260	cmd.exe	52
PID 2260 wrote to memory of 2432	2260	cmd.exe	52
PID 2260 wrote to memory of 2428	2260	cmd.exe	53
PID 2260 wrote to memory of 2428	2260	cmd.exe	53
PID 2260 wrote to memory of 2428	2260	cmd.exe	53
PID 2260 wrote to memory of 2164	2260	cmd.exe	54
PID 2260 wrote to memory of 2164	2260	cmd.exe	54
PID 2260 wrote to memory of 2164	2260	cmd.exe	54
PID 2164 wrote to memory of 2300	2164	Client.exe	55
PID 2164 wrote to memory of 2300	2164	Client.exe	55
PID 2164 wrote to memory of 2300	2164	Client.exe	55
PID 2164 wrote to memory of 872	2164	Client.exe	57
PID 2164 wrote to memory of 872	2164	Client.exe	57
PID 2164 wrote to memory of 872	2164	Client.exe	57
PID 872 wrote to memory of 2180	872	cmd.exe	59
PID 872 wrote to memory of 2180	872	cmd.exe	59
PID 872 wrote to memory of 2180	872	cmd.exe	59
PID 872 wrote to memory of 1672	872	cmd.exe	60
PID 872 wrote to memory of 1672	872	cmd.exe	60
PID 872 wrote to memory of 1672	872	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2836
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2644
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\AufuFPyjojRr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:828
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2252
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5LaAeadEV2fQ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2504
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOBKDzCpTFfd.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\COj5dYefoCJE.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5LaAeadEV2fQ.bat

Filesize
207B

MD5
eeb93f2846be9a86dc08f0a8c78dca35

SHA1
1b197565cb2dce2b35c8671c697509af7d97fc44

SHA256
64e2966718235513ad479245d0cde2218e7049a869d1a9e5ac0c129bc685ef31

SHA512
8a52592e6e661fa88885c24a6961e4f052baeada68a8b4d403b5434017514bd0d10d0c497424ec9e66d88019f16c8645ffc361411130911e11a1870a937fa799

Download Submit
C:\Users\Admin\AppData\Local\Temp\AufuFPyjojRr.bat

Filesize
207B

MD5
1acc7fd3cd261e88a5da0c3055f5a544

SHA1
3941e3135660e47a9e4ca40a2cd201c7b7fa53ee

SHA256
e9c5dd82ba5857761c53129f0a1b7d31ca5c0eca978218f21e54a0f7fe9e8672

SHA512
bd180fb45cc5179e74dac62219c7f43884f8716b845f848a53462059bca40a3d353eb33654981a135f6c293515d1ef282585144e906f1fb8d4d1dc0d541e7f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\COj5dYefoCJE.bat

Filesize
207B

MD5
950f96b4fe4145908a8cc3dc8b4dc79b

SHA1
d67aac98d0278c567c5b05f5c4ab7bb073b35a7c

SHA256
aef4a24d2ef47c4e3c051c84f78826a710288818575eef7109c71a679ebb0def

SHA512
0dbd24af792af7ac90ffbc0ae7f67220be0612d24564de4bcd5bf242c54e7c1011c7f7a1aae0e713f54e0cf3c8572450dc39c704cff1a797457153ed26bebe70

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOBKDzCpTFfd.bat

Filesize
207B

MD5
37ecbd92cbdc9484b971a1db9a69d4e2

SHA1
798e2a1819884e8ef1df7313ee98035628ee9335

SHA256
770aa671e8cd63205b57dc6748c2b77e1c73e897f8aecb3958101c6efd01ee0e

SHA512
09252bf347f4d05cc5ac5371d7880af4b57f9115896b88163fe5eab9f1720ad70f889f657db336f7d02e9df6030376a54a7acff586da2fc7b96c6a860c537cfa

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
b54a504853b292f37ae8b6548edd63bc

SHA1
216c649b28b0b91f616eccc17fc623303c505cd0

SHA256
9543e50b475f687645e1b8d772a3218df43f4abc4fffb172575a4ea2d6f0bff8

SHA512
f44d2ae81d59f8aeab75b33f2799bcf74d1b82d99a5b6c8d340d120e5ba05612b1d9d30c7f613a36814e1bd492d18f801d45fe720fd134c659d3a0531fd63569

Download Submit
memory/1228-36-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/2128-24-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/2956-1-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/2956-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2956-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2956-10-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-8-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-22-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-12-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-11-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-9-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads