quasar | 516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe
Size

3.4MB
MD5

9a1361570008e75a9a8c6c93b8ea9a68
SHA1

66852a8ff188d2003cb0a5c5b3b6d7659719c18c
SHA256

516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e
SHA512

88c39ba29172e236eaa32c1ac531975dc952d36556b7f3d3eb2faa3c9ffe0a39f7f3e4b2a1ae22664f86df41fddef5046d9ded2b522bd9848e5aaa58170889d5
SSDEEP

49152:GvblL26AaNeWgPhlmVqvMQ7XSKidzYAfqoGd7THHB72eh2NT:GvBL26AaNeWgPhlmVqkQ7XSK4zYAy

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

70.34.210.80:4782

192.168.1.203:4782

Mutex

0d965223-b478-41be-af32-ad5a13d78eba

Attributes

encryption_key
EBD92C218F947CFB9F2E27885F8DFFEAE9079F05
install_name
MSWinpreference.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Skype
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/816-1-0x0000000000040000-0x00000000003A6000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cb6-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
528	MSWinpreference.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4456	schtasks.exe
1140	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe
Token: SeDebugPrivilege	528	MSWinpreference.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
528	MSWinpreference.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4456	816	516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe	82
PID 816 wrote to memory of 4456	816	516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe	82
PID 816 wrote to memory of 528	816	516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe	84
PID 816 wrote to memory of 528	816	516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe	84
PID 528 wrote to memory of 1140	528	MSWinpreference.exe	85
PID 528 wrote to memory of 1140	528	MSWinpreference.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe
"C:\Users\Admin\AppData\Local\Temp\516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Skype" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4456
- C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Skype" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe

Filesize
3.4MB

MD5
9a1361570008e75a9a8c6c93b8ea9a68

SHA1
66852a8ff188d2003cb0a5c5b3b6d7659719c18c

SHA256
516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e

SHA512
88c39ba29172e236eaa32c1ac531975dc952d36556b7f3d3eb2faa3c9ffe0a39f7f3e4b2a1ae22664f86df41fddef5046d9ded2b522bd9848e5aaa58170889d5

Download Submit
memory/528-9-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/528-11-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/528-12-0x000000001BD50000-0x000000001BDA0000-memory.dmp

Filesize
320KB

Download
memory/528-13-0x000000001DE10000-0x000000001DEC2000-memory.dmp

Filesize
712KB

Download
memory/528-14-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/816-1-0x0000000000040000-0x00000000003A6000-memory.dmp

Filesize
3.4MB

Download
memory/816-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/816-10-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads