quasar | 91f3543e226fa4efa50011f09441cc3d6d49f14a77b38846ba80af8396e4b268

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

4e657c4c49a04f80014300bd5602f531
SHA1

951608afa96e72732ebda92357f359f1a1793516
SHA256

91f3543e226fa4efa50011f09441cc3d6d49f14a77b38846ba80af8396e4b268
SHA512

201f854e762125ece85f41bafa38ad27d6e961d2a00504698361c12546275fe4fef25ddfc98cd56bf46c7488ee52850b1790ee5e5fa41cdebbd31756b5411fc3
SSDEEP

49152:HvbI22SsaNYfdPBldt698dBcjHInRJ6FbR3LoGdcTHHB72eh2NT:Hvk22SsaNYfdPBldt6+dBcjHInRJ6X

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Waix-40247.portmap.host:40247

Mutex

9d84e220-c4b7-4f5c-b179-163c03154a8f

Attributes

encryption_key
B963B2000CDCB4E83B2966F1E1C703720463EE18
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/3228-1-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1952	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1952	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	Client-built.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3228	Client-built.exe
3228	Client-built.exe
3228	Client-built.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3228	Client-built.exe
3228	Client-built.exe
3228	Client-built.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1556	3228	Client-built.exe	100
PID 3228 wrote to memory of 1556	3228	Client-built.exe	100
PID 1556 wrote to memory of 3748	1556	cmd.exe	102
PID 1556 wrote to memory of 3748	1556	cmd.exe	102
PID 1556 wrote to memory of 1952	1556	cmd.exe	103
PID 1556 wrote to memory of 1952	1556	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LBHuD4As7BaK.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3748
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LBHuD4As7BaK.bat

Filesize
213B

MD5
40dfdcb8f28b5788a3fde3eacf080925

SHA1
ca4ad2e5f582d46c61d13ed81bd2bd0c097d04c7

SHA256
ac43cbae2e16b7d0a623d2c5af0fa4d27a05aa68c5fb29fd1ad693326d170c2c

SHA512
163a349bd3a6d70f97619de9fa2d56ae256c9c09003028b1525c3d2ff3820e931b5e25a11e4c74d258baf5ff557ca83df3f54c198ab30f0812e1378f40707b50

Download Submit
memory/3228-0-0x00007FFFA5FC3000-0x00007FFFA5FC5000-memory.dmp

Filesize
8KB

Download
memory/3228-1-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/3228-2-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp

Filesize
10.8MB

Download
memory/3228-3-0x000000001BDF0000-0x000000001BE40000-memory.dmp

Filesize
320KB

Download
memory/3228-4-0x000000001BF00000-0x000000001BFB2000-memory.dmp

Filesize
712KB

Download
memory/3228-7-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/3228-8-0x000000001BEA0000-0x000000001BEDC000-memory.dmp

Filesize
240KB

Download
memory/3228-9-0x00007FFFA5FC3000-0x00007FFFA5FC5000-memory.dmp

Filesize
8KB

Download
memory/3228-10-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp

Filesize
10.8MB

Download
memory/3228-15-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp

Filesize
10.8MB

Download