quasar | f84bd9538137af690b0acd123b7f91cae6c7e08dc0f0640f379658d2c4ee7e91

Analysis

max time kernel
891s
max time network
899s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cliento.zip
Size

1.2MB
MD5

9748809c3ec4881eda92f259b4d7c007
SHA1

3f036b3896e7f5586c5e762f0b5e47e34f76228f
SHA256

f84bd9538137af690b0acd123b7f91cae6c7e08dc0f0640f379658d2c4ee7e91
SHA512

ae4cf64ee83503d99e8d06408a2db78625b5e8248324f2288400f46a509dcbdb55d7f564cc4878692fe3c0bfbb5a2225ae6751164e46385157f14b3115fa400c
SSDEEP

24576:CEZPc7LVJCGexfUkbHb++qy2W92QifC40v4V5StrO/uIZuiMwZF:CEZPcWGexzRGW92QiX+trOWsMq

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

Mutex

9f808638-1d71-4cd8-bcba-dc4258c5567c

Attributes

encryption_key
50594C0487E73C95F03F5F7C150B052B4C74F9BE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002aa77-2.dat	family_quasar
behavioral1/memory/2132-5-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2132	Client-built.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3396	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2536	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2536	7zFM.exe
Token: 35	2536	7zFM.exe
Token: SeSecurityPrivilege	2536	7zFM.exe
Token: SeDebugPrivilege	2132	Client-built.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2536	7zFM.exe
2536	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2132	Client-built.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3396	2132	Client-built.exe	82
PID 2132 wrote to memory of 3396	2132	Client-built.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\cliento.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2964

C:\Users\Admin\Desktop\cliento\Client-built.exe
"C:\Users\Admin\Desktop\cliento\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\cliento\Client-built.exe

Filesize
3.1MB

MD5
48be60b3ee1e00cc82390f9b15a557b0

SHA1
3a85f43f73a6559d93f8510ddd322fd25ab6478f

SHA256
0717e7dba5d6758431ecfa178c4e5c850340dc2a64009572252bb1639a2be16a

SHA512
9367f3dde580ec19c8c6ef1c83bc7119160d70bca7cae04e0e2fb3242083797306ecdfbda4014782ffe04a23cdd85830fc7a49ff4eb55087e9ee1f096967a4ef

Download Submit
memory/2132-4-0x00007FF8ECA53000-0x00007FF8ECA55000-memory.dmp

Filesize
8KB

Download
memory/2132-5-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download
memory/2132-6-0x00007FF8ECA50000-0x00007FF8ED512000-memory.dmp

Filesize
10.8MB

Download
memory/2132-7-0x000000001CA60000-0x000000001CAB0000-memory.dmp

Filesize
320KB

Download
memory/2132-8-0x000000001CB70000-0x000000001CC22000-memory.dmp

Filesize
712KB

Download
memory/2132-9-0x000000001D360000-0x000000001D888000-memory.dmp

Filesize
5.2MB

Download
memory/2132-10-0x00007FF8ECA53000-0x00007FF8ECA55000-memory.dmp

Filesize
8KB

Download
memory/2132-11-0x00007FF8ECA50000-0x00007FF8ED512000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads