quasar | 84386ba4be46d6a071c25da1ec4f339817aeaad478a6ca9453e1935205571f20

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testv12.exe
Size

3.1MB
MD5

8f131c77156b85ca15444aabe87333ef
SHA1

5402d8163423097e863bea234d211f5b13258a4b
SHA256

84386ba4be46d6a071c25da1ec4f339817aeaad478a6ca9453e1935205571f20
SHA512

95f05308d912a25b42a73e09c061ee88cedadb5080653ae8ae794f4de6e581c099f49dbc7943f54be838b72ac7649ff573f63e7326c0a8688e7508b62deb90b0
SSDEEP

49152:Xv3lL26AaNeWgPhlmVqvMQ7XSKC1mKmzOUoGdcQTHHB72eh2NT:Xv1L26AaNeWgPhlmVqkQ7XSKC1mp

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

4.tcp.eu.ngrok.io:16602

4.tcp.eu.ngrok.io:7724

Mutex

af6a836a-9106-4785-8dce-1ced637f2ecd

Attributes

encryption_key
50B793FC4C8129DCCC330E337AEC3777884F3B64
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2580-1-0x0000000001130000-0x0000000001454000-memory.dmp	family_quasar

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
19	4.tcp.eu.ngrok.io
2	4.tcp.eu.ngrok.io
7	4.tcp.eu.ngrok.io
13	4.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	testv12.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2580	testv12.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2580	testv12.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2580	testv12.exe

C:\Users\Admin\AppData\Local\Temp\testv12.exe
"C:\Users\Admin\AppData\Local\Temp\testv12.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2580-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000001130000-0x0000000001454000-memory.dmp

Filesize
3.1MB

Download
memory/2580-2-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-3-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2580-4-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download