quasar | 9543e50b475f687645e1b8d772a3218df43f4abc4fffb172575a4ea2d6f0bff8

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

b54a504853b292f37ae8b6548edd63bc
SHA1

216c649b28b0b91f616eccc17fc623303c505cd0
SHA256

9543e50b475f687645e1b8d772a3218df43f4abc4fffb172575a4ea2d6f0bff8
SHA512

f44d2ae81d59f8aeab75b33f2799bcf74d1b82d99a5b6c8d340d120e5ba05612b1d9d30c7f613a36814e1bd492d18f801d45fe720fd134c659d3a0531fd63569
SSDEEP

49152:CvuG42pda6D+/PjlLOlg6yQipVvCN1JwLoGdmTHHB72eh2NT:CvJ42pda6D+/PjlLOlZyQipVvCs

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.11.75.94:4782

U5CD147FKX2:4782

192.168.1.1:4782

10.40.40.50:4782

Mutex

7d41ccf3-c5ae-4aea-802e-7a2d79e742ab

Attributes

encryption_key
D20C6B62C6848A1F494679CD1D5EBA35B7792514
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ja
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1960-1-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c01-6.dat	family_quasar

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 4 IoCs

pid	Process
1956	Client.exe
3276	Client.exe
2984	Client.exe
3984	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1156	PING.EXE
4724	PING.EXE
1084	PING.EXE
1436	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1436	PING.EXE
1156	PING.EXE
4724	PING.EXE
1084	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4188	schtasks.exe
468	schtasks.exe
1640	schtasks.exe
4428	schtasks.exe
4528	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	Client-built.exe
Token: SeDebugPrivilege	1956	Client.exe
Token: SeDebugPrivilege	3276	Client.exe
Token: SeDebugPrivilege	2984	Client.exe
Token: SeDebugPrivilege	3984	Client.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1956	Client.exe
3276	Client.exe
2984	Client.exe
3984	Client.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1956	Client.exe
3276	Client.exe
2984	Client.exe
3984	Client.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1956	Client.exe
3276	Client.exe
2984	Client.exe
3984	Client.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1640	1960	Client-built.exe	82
PID 1960 wrote to memory of 1640	1960	Client-built.exe	82
PID 1960 wrote to memory of 1956	1960	Client-built.exe	84
PID 1960 wrote to memory of 1956	1960	Client-built.exe	84
PID 1956 wrote to memory of 4428	1956	Client.exe	85
PID 1956 wrote to memory of 4428	1956	Client.exe	85
PID 1956 wrote to memory of 2100	1956	Client.exe	95
PID 1956 wrote to memory of 2100	1956	Client.exe	95
PID 2100 wrote to memory of 4412	2100	cmd.exe	97
PID 2100 wrote to memory of 4412	2100	cmd.exe	97
PID 2100 wrote to memory of 1436	2100	cmd.exe	98
PID 2100 wrote to memory of 1436	2100	cmd.exe	98
PID 2100 wrote to memory of 3276	2100	cmd.exe	100
PID 2100 wrote to memory of 3276	2100	cmd.exe	100
PID 3276 wrote to memory of 4528	3276	Client.exe	101
PID 3276 wrote to memory of 4528	3276	Client.exe	101
PID 3276 wrote to memory of 368	3276	Client.exe	103
PID 3276 wrote to memory of 368	3276	Client.exe	103
PID 368 wrote to memory of 3524	368	cmd.exe	105
PID 368 wrote to memory of 3524	368	cmd.exe	105
PID 368 wrote to memory of 1156	368	cmd.exe	106
PID 368 wrote to memory of 1156	368	cmd.exe	106
PID 368 wrote to memory of 2984	368	cmd.exe	107
PID 368 wrote to memory of 2984	368	cmd.exe	107
PID 2984 wrote to memory of 4188	2984	Client.exe	108
PID 2984 wrote to memory of 4188	2984	Client.exe	108
PID 2984 wrote to memory of 4356	2984	Client.exe	110
PID 2984 wrote to memory of 4356	2984	Client.exe	110
PID 4356 wrote to memory of 4400	4356	cmd.exe	112
PID 4356 wrote to memory of 4400	4356	cmd.exe	112
PID 4356 wrote to memory of 4724	4356	cmd.exe	113
PID 4356 wrote to memory of 4724	4356	cmd.exe	113
PID 4356 wrote to memory of 3984	4356	cmd.exe	114
PID 4356 wrote to memory of 3984	4356	cmd.exe	114
PID 3984 wrote to memory of 468	3984	Client.exe	115
PID 3984 wrote to memory of 468	3984	Client.exe	115
PID 3984 wrote to memory of 492	3984	Client.exe	117
PID 3984 wrote to memory of 492	3984	Client.exe	117
PID 492 wrote to memory of 4448	492	cmd.exe	119
PID 492 wrote to memory of 4448	492	cmd.exe	119
PID 492 wrote to memory of 1084	492	cmd.exe	120
PID 492 wrote to memory of 1084	492	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1640
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGKjBCA23x5o.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4412
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1436
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kguh7AZVnGLh.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3524
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ombc5EhhN5N.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ja" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wrrx2CxVPwlR.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ombc5EhhN5N.bat

Filesize
207B

MD5
3258eb4dc64b558a65944cdb4496075f

SHA1
083e114519c4bdb74ba8c411eb6fcb883d21d0f4

SHA256
77f5f4c7a668923735f411fe66b50abf0926ce85aa2954fc19b8d9a69121495d

SHA512
b9c4b87488c08623b2228b0f341e9747554e35f0cddb6041ea57b1331e683c7390d8f32c23f0eaf4ffc172df5dd8f6701c42df8f4438a23a7cf138c1e1a1c627

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGKjBCA23x5o.bat

Filesize
207B

MD5
32229853e9324c03213cb46d21598509

SHA1
0515f34567a65ae66a54ef5c7f17a0e56295807e

SHA256
b030436379ed93726491428970ac9d8bc63c02d46bd0d0e9ab2a3d6a396fee2e

SHA512
739a0db8883462538504b31d81009ce5cda9bd7229cea3a1470a220deb73afac09fe5fa584e8b71065558f7491388e87e1fbbaad7a999d081dd41124fe12d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kguh7AZVnGLh.bat

Filesize
207B

MD5
7b674082497166da6730330807489434

SHA1
305b6521e5b0246ee259136e2244853302bba1b7

SHA256
07cf16adb291eb05920ddaaa523bf7b46bd6569a594d3094815384700aad8918

SHA512
1a3d1223094c33f041bc6fd1a73b3fb8fb010d7d607df25061bd53e81b9b7f315c85f79d073c7e7e2f5ae91cf5c485445daf6f720141274b5cc7fd0becbbe789

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrrx2CxVPwlR.bat

Filesize
207B

MD5
591f9891d29582f0439f86c20d7bd1c5

SHA1
89c3ccfcec7d275584405673632bf6273dc61287

SHA256
03ae72f3ce603df1deefb389aea7d2eae58dbfed2debd9338a71ca936c042a71

SHA512
1eb824860a0f4c7985709c37e73d50b8cf3a6700d6d0bebbd2389e3e5924e116e03ea5ba6fcce8ed90dda7d3eaf819188867082c247487a064dae2e6ec3b5e8b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
b54a504853b292f37ae8b6548edd63bc

SHA1
216c649b28b0b91f616eccc17fc623303c505cd0

SHA256
9543e50b475f687645e1b8d772a3218df43f4abc4fffb172575a4ea2d6f0bff8

SHA512
f44d2ae81d59f8aeab75b33f2799bcf74d1b82d99a5b6c8d340d120e5ba05612b1d9d30c7f613a36814e1bd492d18f801d45fe720fd134c659d3a0531fd63569

Download Submit
memory/1956-10-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-12-0x000000001C040000-0x000000001C090000-memory.dmp

Filesize
320KB

Download
memory/1956-13-0x000000001C150000-0x000000001C202000-memory.dmp

Filesize
712KB

Download
memory/1956-14-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-19-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-11-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-9-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-0-0x00007FFC0E1E3000-0x00007FFC0E1E5000-memory.dmp

Filesize
8KB

Download
memory/1960-2-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-1-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads