quasar | e79f1f7a293b811cf4de8077a3988c22a726204abdfb2866ba67500e53442f82

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

33bb52dbc13cd018fbe3737e8893e8a1
SHA1

c5c01d977a107c50952dc0ae442e02d60e093cd5
SHA256

e79f1f7a293b811cf4de8077a3988c22a726204abdfb2866ba67500e53442f82
SHA512

12db6746fd74242cfd5c894b1ff4696b6504ee9af6afd1e0330f8f36228914fbe8b7d1aa4df2648fea37d2c879ab3e6972ae7fa2ea6120f8f0b29ea7132aee3b
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHIGynXvoGdafTHHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHIGyn/

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Waix-40247.portmap.host:40247

Mutex

9d84e220-c4b7-4f5c-b179-163c03154a8f

Attributes

encryption_key
B963B2000CDCB4E83B2966F1E1C703720463EE18
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3388-1-0x00000000006D0000-0x00000000009F4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3224	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3224	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	Client-built.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3388	Client-built.exe
3388	Client-built.exe
3388	Client-built.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3388	Client-built.exe
3388	Client-built.exe
3388	Client-built.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3676	3388	Client-built.exe	91
PID 3388 wrote to memory of 3676	3388	Client-built.exe	91
PID 3676 wrote to memory of 396	3676	cmd.exe	93
PID 3676 wrote to memory of 396	3676	cmd.exe	93
PID 3676 wrote to memory of 3224	3676	cmd.exe	94
PID 3676 wrote to memory of 3224	3676	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sDxtpd7ik8f0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:396
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sDxtpd7ik8f0.bat

Filesize
213B

MD5
1989b6c868ccadbee805728f9a16a01d

SHA1
e24d525034dc10e99b2b9dfda1bc568d8c26b8bd

SHA256
18c7cfb19e500d6aa1cee8c7d69a8946ffc52dec94e8d0c4f944fcae86cab377

SHA512
45111a04d6310bcee58f0e9d1a35e81c34b632accffe21b955abd09cf1ad30ce1803276cd7d2012b934574b1be93bf904de1a10bb02b20363a044939ffbcb7cb

Download Submit
memory/3388-0-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

Filesize
8KB

Download
memory/3388-1-0x00000000006D0000-0x00000000009F4000-memory.dmp

Filesize
3.1MB

Download
memory/3388-2-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-3-0x000000001D960000-0x000000001D9B0000-memory.dmp

Filesize
320KB

Download
memory/3388-4-0x000000001DA70000-0x000000001DB22000-memory.dmp

Filesize
712KB

Download
memory/3388-7-0x000000001D9B0000-0x000000001D9C2000-memory.dmp

Filesize
72KB

Download
memory/3388-8-0x000000001DA10000-0x000000001DA4C000-memory.dmp

Filesize
240KB

Download
memory/3388-9-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

Filesize
8KB

Download
memory/3388-10-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-15-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download