Malware Analysis Report

2025-04-14 04:54

Sample ID 241213-vmj1gavnc1
Target Client-built.exe
SHA256 e79f1f7a293b811cf4de8077a3988c22a726204abdfb2866ba67500e53442f82
Tags
office04 quasar spyware trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e79f1f7a293b811cf4de8077a3988c22a726204abdfb2866ba67500e53442f82

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan discovery

Quasar family

Quasar payload

Quasar RAT

Checks computer location settings

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 17:06

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 17:06

Reported

2024-12-13 17:08

Platform

win7-20241010-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Waix-40247.portmap.host udp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp

Files

memory/1764-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

memory/1764-1-0x00000000002B0000-0x00000000005D4000-memory.dmp

memory/1764-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

memory/1764-3-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

memory/1764-4-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 17:06

Reported

2024-12-13 17:08

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3388 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3676 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3676 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3676 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sDxtpd7ik8f0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 Waix-40247.portmap.host udp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 94.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3388-0-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

memory/3388-1-0x00000000006D0000-0x00000000009F4000-memory.dmp

memory/3388-2-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

memory/3388-3-0x000000001D960000-0x000000001D9B0000-memory.dmp

memory/3388-4-0x000000001DA70000-0x000000001DB22000-memory.dmp

memory/3388-7-0x000000001D9B0000-0x000000001D9C2000-memory.dmp

memory/3388-8-0x000000001DA10000-0x000000001DA4C000-memory.dmp

memory/3388-9-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

memory/3388-10-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

memory/3388-15-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sDxtpd7ik8f0.bat

MD5 1989b6c868ccadbee805728f9a16a01d
SHA1 e24d525034dc10e99b2b9dfda1bc568d8c26b8bd
SHA256 18c7cfb19e500d6aa1cee8c7d69a8946ffc52dec94e8d0c4f944fcae86cab377
SHA512 45111a04d6310bcee58f0e9d1a35e81c34b632accffe21b955abd09cf1ad30ce1803276cd7d2012b934574b1be93bf904de1a10bb02b20363a044939ffbcb7cb