Malware Analysis Report

2025-04-14 04:54

Sample ID 241213-hp74vs1pct
Target IMVUdineroilimitado.exe
SHA256 3581567130d8c7081fcb2f9c51e066487c7da1d62833169817725ae57874a243
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3581567130d8c7081fcb2f9c51e066487c7da1d62833169817725ae57874a243

Threat Level: Known bad

The file IMVUdineroilimitado.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 06:55

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 06:55

Reported

2024-12-13 06:58

Platform

win7-20240903-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe

"C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe

"C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 azxq0ap.localto.net udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp

Files

memory/2068-0-0x000007FEF66F3000-0x000007FEF66F4000-memory.dmp

memory/2068-1-0x0000000000230000-0x0000000000582000-memory.dmp

memory/2068-2-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe

MD5 a6b8a25d0eeac0fe978cc16a1e377e37
SHA1 dae6ed3a24af41e4247872f718b0e1bb0dcc7bff
SHA256 3581567130d8c7081fcb2f9c51e066487c7da1d62833169817725ae57874a243
SHA512 7dd56e27b1f112df4f4ca6e6f9846848d50496d78cdfcc913f0179c39a21c57b0a04bffabe9c1d1c85fcfda79e2ec0bd55aa38537e8325b7073970d6ede59713

memory/2820-9-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

memory/2820-8-0x0000000000340000-0x0000000000692000-memory.dmp

memory/2820-10-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

memory/2068-11-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

memory/2820-12-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 06:55

Reported

2024-12-13 06:58

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe

"C:\Users\Admin\AppData\Local\Temp\IMVUdineroilimitado.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe

"C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 azxq0ap.localto.net udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 23.158.232.33:3425 azxq0ap.localto.net tcp
US 23.158.232.33:3425 azxq0ap.localto.net tcp

Files

memory/3616-0-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp

memory/3616-1-0x0000000000870000-0x0000000000BC2000-memory.dmp

memory/3616-2-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe

MD5 a6b8a25d0eeac0fe978cc16a1e377e37
SHA1 dae6ed3a24af41e4247872f718b0e1bb0dcc7bff
SHA256 3581567130d8c7081fcb2f9c51e066487c7da1d62833169817725ae57874a243
SHA512 7dd56e27b1f112df4f4ca6e6f9846848d50496d78cdfcc913f0179c39a21c57b0a04bffabe9c1d1c85fcfda79e2ec0bd55aa38537e8325b7073970d6ede59713

memory/1628-9-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

memory/1628-10-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

memory/1628-11-0x000000001B000000-0x000000001B050000-memory.dmp

memory/1628-12-0x000000001D0C0000-0x000000001D172000-memory.dmp

memory/3616-13-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

memory/1628-14-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp