quasar | ecce2755fb5ea36f5c5c204d2f289a87909a1affcb3cebe7310d39617d860981

Analysis

max time kernel
47s
max time network
37s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ANYX-client-build/AnyLoaderV4.9.exe
Size

3.1MB
MD5

9a99be1ac8e21a3c4959702a02b25d6e
SHA1

55d6230481e90c8a2f9d09956c07e3db1d03a96d
SHA256

e26918aac1a313925a7aecdaeb1990788cd2e09e439cd3e5fe8d6babb89df0f1
SHA512

46ae9d4d95c89afb3ed987445dcf72c71e770e99c35759a724e963952784d518530b2829b856b7818a8bc226e35fa8f243e18e35da4d7169c44edc5303159ea4
SSDEEP

49152:rvelL26AaNeWgPhlmVqvMQ7XSKodL5mzSooGdw9THHB72eh2NT:rvOL26AaNeWgPhlmVqkQ7XSKodL0A

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

rolok44419-55109.portmap.host:55109

Mutex

0bcbf378-c5c6-4d35-b7db-11442a750cf2

Attributes

encryption_key
A1C7F8E92E515420A946C210E4F8C886810ADBFD
install_name
AnyLoaderV4.9.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3084-1-0x0000000000350000-0x0000000000674000-memory.dmp	family_quasar
behavioral1/files/0x002a000000046170-3.dat	family_quasar

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	AnyLoaderV4.9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	AnyLoaderV4.9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	AnyLoaderV4.9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	AnyLoaderV4.9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation	AnyLoaderV4.9.exe

Executes dropped EXE 5 IoCs

pid	Process
2244	AnyLoaderV4.9.exe
716	AnyLoaderV4.9.exe
3772	AnyLoaderV4.9.exe
964	AnyLoaderV4.9.exe
440	AnyLoaderV4.9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3592	PING.EXE
1664	PING.EXE
1564	PING.EXE
4256	PING.EXE
1812	PING.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1564	PING.EXE
4256	PING.EXE
1812	PING.EXE
3592	PING.EXE
1664	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1060	schtasks.exe
1112	schtasks.exe
3624	schtasks.exe
4072	schtasks.exe
224	schtasks.exe
4988	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	2244	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	716	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	3772	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	964	AnyLoaderV4.9.exe
Token: SeDebugPrivilege	440	AnyLoaderV4.9.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 4988	3084	AnyLoaderV4.9.exe	82
PID 3084 wrote to memory of 4988	3084	AnyLoaderV4.9.exe	82
PID 3084 wrote to memory of 2244	3084	AnyLoaderV4.9.exe	84
PID 3084 wrote to memory of 2244	3084	AnyLoaderV4.9.exe	84
PID 2244 wrote to memory of 1060	2244	AnyLoaderV4.9.exe	87
PID 2244 wrote to memory of 1060	2244	AnyLoaderV4.9.exe	87
PID 2244 wrote to memory of 3948	2244	AnyLoaderV4.9.exe	89
PID 2244 wrote to memory of 3948	2244	AnyLoaderV4.9.exe	89
PID 3948 wrote to memory of 1708	3948	cmd.exe	93
PID 3948 wrote to memory of 1708	3948	cmd.exe	93
PID 3948 wrote to memory of 3592	3948	cmd.exe	94
PID 3948 wrote to memory of 3592	3948	cmd.exe	94
PID 3948 wrote to memory of 716	3948	cmd.exe	104
PID 3948 wrote to memory of 716	3948	cmd.exe	104
PID 716 wrote to memory of 1112	716	AnyLoaderV4.9.exe	105
PID 716 wrote to memory of 1112	716	AnyLoaderV4.9.exe	105
PID 716 wrote to memory of 4536	716	AnyLoaderV4.9.exe	107
PID 716 wrote to memory of 4536	716	AnyLoaderV4.9.exe	107
PID 4536 wrote to memory of 1636	4536	cmd.exe	109
PID 4536 wrote to memory of 1636	4536	cmd.exe	109
PID 4536 wrote to memory of 1664	4536	cmd.exe	110
PID 4536 wrote to memory of 1664	4536	cmd.exe	110
PID 4536 wrote to memory of 3772	4536	cmd.exe	112
PID 4536 wrote to memory of 3772	4536	cmd.exe	112
PID 3772 wrote to memory of 3624	3772	AnyLoaderV4.9.exe	113
PID 3772 wrote to memory of 3624	3772	AnyLoaderV4.9.exe	113
PID 3772 wrote to memory of 3404	3772	AnyLoaderV4.9.exe	115
PID 3772 wrote to memory of 3404	3772	AnyLoaderV4.9.exe	115
PID 3404 wrote to memory of 4788	3404	cmd.exe	117
PID 3404 wrote to memory of 4788	3404	cmd.exe	117
PID 3404 wrote to memory of 1564	3404	cmd.exe	118
PID 3404 wrote to memory of 1564	3404	cmd.exe	118
PID 3404 wrote to memory of 964	3404	cmd.exe	121
PID 3404 wrote to memory of 964	3404	cmd.exe	121
PID 964 wrote to memory of 4072	964	AnyLoaderV4.9.exe	122
PID 964 wrote to memory of 4072	964	AnyLoaderV4.9.exe	122
PID 964 wrote to memory of 2088	964	AnyLoaderV4.9.exe	124
PID 964 wrote to memory of 2088	964	AnyLoaderV4.9.exe	124
PID 2088 wrote to memory of 1376	2088	cmd.exe	126
PID 2088 wrote to memory of 1376	2088	cmd.exe	126
PID 2088 wrote to memory of 4256	2088	cmd.exe	127
PID 2088 wrote to memory of 4256	2088	cmd.exe	127
PID 2088 wrote to memory of 440	2088	cmd.exe	128
PID 2088 wrote to memory of 440	2088	cmd.exe	128
PID 440 wrote to memory of 224	440	AnyLoaderV4.9.exe	129
PID 440 wrote to memory of 224	440	AnyLoaderV4.9.exe	129
PID 440 wrote to memory of 4412	440	AnyLoaderV4.9.exe	131
PID 440 wrote to memory of 4412	440	AnyLoaderV4.9.exe	131
PID 4412 wrote to memory of 408	4412	cmd.exe	133
PID 4412 wrote to memory of 408	4412	cmd.exe	133
PID 4412 wrote to memory of 1812	4412	cmd.exe	134
PID 4412 wrote to memory of 1812	4412	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ANYX-client-build\AnyLoaderV4.9.exe
"C:\Users\Admin\AppData\Local\Temp\ANYX-client-build\AnyLoaderV4.9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4988
- C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guo2Senq26lu.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1708
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3592
  - - C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:716
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCmXE3mWXTOe.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1636
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1664
      - C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2YMfiypC1n1.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqI6J6sompdr.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pHT2RI1XCgj2.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AnyLoaderV4.9.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2YMfiypC1n1.bat

Filesize
214B

MD5
5f9aa528b1f5b7f7523599cd369eed09

SHA1
f9996c0443730e6dd29dd02dd677439c85b45e0c

SHA256
27b9174a7908fd0d8761f92dda0121fc6b59d564078636027658f9ef2a95b661

SHA512
5dd195f1f628846c82f3967c6fa66dc85cb66ab2d7f080838e13861f50238af7b054f08cf04fd707d1790e460416d9175b5cdca1f52fc16f4d4e5e8b6b74b265

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqI6J6sompdr.bat

Filesize
214B

MD5
af60453370090b82b556075bedf6e0d7

SHA1
e24837d062e4187a60c774d1798c3afd8020c395

SHA256
bf1a9c13a286463f98c7ad335ba43089aadae998c04bb1ee341009c70d46d2df

SHA512
075da13a64758d6fd86abd758c704c9af3f4f061047952243715d13ebb9e7010829943fe4c788c9cc59e840b070ef848e34b27f021e1f59a908bbce5f19aa617

Download Submit
C:\Users\Admin\AppData\Local\Temp\guo2Senq26lu.bat

Filesize
214B

MD5
4688cdab3eba3c82995a9145066fc497

SHA1
ef4e1cdf9fd7f8cbd5c22ec1a4ae9fcb783e742e

SHA256
6f4fdd95c18adf5a01ed0835bc5b9c76f339f3b5fac55fae8f83827bf6afb03d

SHA512
c85948a7e81072f86e9e70d8be602b2e60c2aba65149330c43b610f3e3aa58c6a1e05596b79bf089051d46ac366599f522cf04e9fee787ea8f9b7a3681ec7658

Download Submit
C:\Users\Admin\AppData\Local\Temp\pHT2RI1XCgj2.bat

Filesize
214B

MD5
0b119319a64de8773a74893fe971160d

SHA1
59513c605a015899eb351f2fd9da8eb2b03c6749

SHA256
ea46b84d991ccb7e500728b25127097d278b01fcc4cb4b38461945e99b31b470

SHA512
ac8adafd410ebba9a2de2c3305c101565e187cbbdc1a35fc4a0e6fef8f4b77f67673d8cdf7daeaedc935ef0fa870f478692fa4974dce6419b6a6373f7630d732

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCmXE3mWXTOe.bat

Filesize
214B

MD5
c604a310f769a7f45f04a466c0a041ad

SHA1
14e8231cc9a27f1551a7f348cc18bf8b4cfc41b3

SHA256
1cc3861f4d0675f3223e9a121f23aa221d511bfdb5b238251eb187993de3604b

SHA512
10c4ca9f764e6dddf9855205d409022f7b4ec6e14ed83acbfab4fbb2b4dbe3472f72f445541d025e459b08dd429e5e1908b151a288ba14664f97fb293542922f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\AnyLoaderV4.9.exe

Filesize
3.1MB

MD5
9a99be1ac8e21a3c4959702a02b25d6e

SHA1
55d6230481e90c8a2f9d09956c07e3db1d03a96d

SHA256
e26918aac1a313925a7aecdaeb1990788cd2e09e439cd3e5fe8d6babb89df0f1

SHA512
46ae9d4d95c89afb3ed987445dcf72c71e770e99c35759a724e963952784d518530b2829b856b7818a8bc226e35fa8f243e18e35da4d7169c44edc5303159ea4

Download Submit
memory/2244-7-0x00007FFA00F50000-0x00007FFA01A12000-memory.dmp

Filesize
10.8MB

Download
memory/2244-8-0x00007FFA00F50000-0x00007FFA01A12000-memory.dmp

Filesize
10.8MB

Download
memory/2244-9-0x000000001CF10000-0x000000001CF60000-memory.dmp

Filesize
320KB

Download
memory/2244-10-0x000000001D020000-0x000000001D0D2000-memory.dmp

Filesize
712KB

Download
memory/2244-17-0x00007FFA00F50000-0x00007FFA01A12000-memory.dmp

Filesize
10.8MB

Download
memory/3084-6-0x00007FFA00F50000-0x00007FFA01A12000-memory.dmp

Filesize
10.8MB

Download
memory/3084-0-0x00007FFA00F53000-0x00007FFA00F55000-memory.dmp

Filesize
8KB

Download
memory/3084-2-0x00007FFA00F50000-0x00007FFA01A12000-memory.dmp

Filesize
10.8MB

Download
memory/3084-1-0x0000000000350000-0x0000000000674000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads