quasar | 677b229363785a056c131021f5bd3ff397134900fd99ae5638bb4323c3a2683c

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

honestly/MyPcGonnaExplode - Copy (10) - Copy - Copy.exe
Size

3.1MB
MD5

e35e3f1f51f82cb73c7b70451878c263
SHA1

764f6f6c17c5e3e3b88513975c94d635842f1bd8
SHA256

58606efb4cc178df08094a25618cda8a117ee7b06371f2d8ac980bd218d013c9
SHA512

5fcdfd52eb1dd60542563338ec240d4981a25d157d3fbc96be55706f950f48c6433ed87225ac9311308094954227bdca983a11c91472c5c29b860b48be24815b
SSDEEP

49152:PvyI22SsaNYfdPBldt698dBcjHjGVv9ToGdxTHHB72eh2NT:Pvf22SsaNYfdPBldt6+dBcjHjGVvp

Score

10^/10

quasar test spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test

91.109.178.8:7070

Mutex

d933480a-c837-40f6-9fb3-c6401087e068

Attributes

encryption_key
2C0C62BDD42E42BC77F98F8E1EE713B43F791267
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral3/memory/2740-1-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral3/files/0x000400000001d3dd-6.dat	family_quasar
behavioral3/memory/2788-8-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2788	Client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2896	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	MyPcGonnaExplode - Copy (10) - Copy - Copy.exe
Token: SeDebugPrivilege	2788	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2704	2740	MyPcGonnaExplode - Copy (10) - Copy - Copy.exe	31
PID 2740 wrote to memory of 2704	2740	MyPcGonnaExplode - Copy (10) - Copy - Copy.exe	31
PID 2740 wrote to memory of 2704	2740	MyPcGonnaExplode - Copy (10) - Copy - Copy.exe	31
PID 2740 wrote to memory of 2788	2740	MyPcGonnaExplode - Copy (10) - Copy - Copy.exe	33
PID 2740 wrote to memory of 2788	2740	MyPcGonnaExplode - Copy (10) - Copy - Copy.exe	33
PID 2740 wrote to memory of 2788	2740	MyPcGonnaExplode - Copy (10) - Copy - Copy.exe	33
PID 2788 wrote to memory of 2896	2788	Client.exe	34
PID 2788 wrote to memory of 2896	2788	Client.exe	34
PID 2788 wrote to memory of 2896	2788	Client.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\honestly\MyPcGonnaExplode - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\honestly\MyPcGonnaExplode - Copy (10) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2704
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
e35e3f1f51f82cb73c7b70451878c263

SHA1
764f6f6c17c5e3e3b88513975c94d635842f1bd8

SHA256
58606efb4cc178df08094a25618cda8a117ee7b06371f2d8ac980bd218d013c9

SHA512
5fcdfd52eb1dd60542563338ec240d4981a25d157d3fbc96be55706f950f48c6433ed87225ac9311308094954227bdca983a11c91472c5c29b860b48be24815b

Download Submit
memory/2740-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2740-1-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download
memory/2740-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2740-9-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-11-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-10-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-8-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download
memory/2788-12-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads