quasar | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 | Triage

Analysis

max time kernel
22s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 15:14

Sharing

Report Analysis Logs

General

Target

Loader.exe
Size

3.1MB
MD5

e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1

e996894168f0d4e852162d1290250dfa986310f8
SHA256

e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512

5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc
SSDEEP

49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Dystopian-62863.portmap.host:62863

Mutex

e1de8f9b-5a7a-4798-a6fb-c03591ef3442

Attributes

encryption_key
8C1BB32BFD240218BA0CB04D65341FB1FDE1E001
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SubStart
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/2968-1-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
behavioral1/files/0x00080000000191d1-6.dat	family_quasar
behavioral1/memory/2636-9-0x00000000013B0000-0x00000000016D4000-memory.dmp	family_quasar
behavioral1/memory/688-33-0x0000000000350000-0x0000000000674000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2636	Client.exe
2808	Client.exe
688	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

pid	Process
3004	PING.EXE
1288	PING.EXE
2936	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

pid	Process
1288	PING.EXE
2936	PING.EXE
3004	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3052	schtasks.exe
2056	schtasks.exe
2576	schtasks.exe
1928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	Loader.exe
Token: SeDebugPrivilege	2636	Client.exe
Token: SeDebugPrivilege	2808	Client.exe
Token: SeDebugPrivilege	688	Client.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3052	2968	Loader.exe	30
PID 2968 wrote to memory of 3052	2968	Loader.exe	30
PID 2968 wrote to memory of 3052	2968	Loader.exe	30
PID 2968 wrote to memory of 2636	2968	Loader.exe	32
PID 2968 wrote to memory of 2636	2968	Loader.exe	32
PID 2968 wrote to memory of 2636	2968	Loader.exe	32
PID 2636 wrote to memory of 2056	2636	Client.exe	33
PID 2636 wrote to memory of 2056	2636	Client.exe	33
PID 2636 wrote to memory of 2056	2636	Client.exe	33
PID 2636 wrote to memory of 2700	2636	Client.exe	35
PID 2636 wrote to memory of 2700	2636	Client.exe	35
PID 2636 wrote to memory of 2700	2636	Client.exe	35
PID 2700 wrote to memory of 2780	2700	cmd.exe	37
PID 2700 wrote to memory of 2780	2700	cmd.exe	37
PID 2700 wrote to memory of 2780	2700	cmd.exe	37
PID 2700 wrote to memory of 2936	2700	cmd.exe	38
PID 2700 wrote to memory of 2936	2700	cmd.exe	38
PID 2700 wrote to memory of 2936	2700	cmd.exe	38
PID 2700 wrote to memory of 2808	2700	cmd.exe	40
PID 2700 wrote to memory of 2808	2700	cmd.exe	40
PID 2700 wrote to memory of 2808	2700	cmd.exe	40
PID 2808 wrote to memory of 2576	2808	Client.exe	41
PID 2808 wrote to memory of 2576	2808	Client.exe	41
PID 2808 wrote to memory of 2576	2808	Client.exe	41
PID 2808 wrote to memory of 2572	2808	Client.exe	43
PID 2808 wrote to memory of 2572	2808	Client.exe	43
PID 2808 wrote to memory of 2572	2808	Client.exe	43
PID 2572 wrote to memory of 1744	2572	cmd.exe	45
PID 2572 wrote to memory of 1744	2572	cmd.exe	45
PID 2572 wrote to memory of 1744	2572	cmd.exe	45
PID 2572 wrote to memory of 3004	2572	cmd.exe	46
PID 2572 wrote to memory of 3004	2572	cmd.exe	46
PID 2572 wrote to memory of 3004	2572	cmd.exe	46
PID 2572 wrote to memory of 688	2572	cmd.exe	47
PID 2572 wrote to memory of 688	2572	cmd.exe	47
PID 2572 wrote to memory of 688	2572	cmd.exe	47
PID 688 wrote to memory of 1928	688	Client.exe	48
PID 688 wrote to memory of 1928	688	Client.exe	48
PID 688 wrote to memory of 1928	688	Client.exe	48
PID 688 wrote to memory of 1696	688	Client.exe	50
PID 688 wrote to memory of 1696	688	Client.exe	50
PID 688 wrote to memory of 1696	688	Client.exe	50
PID 1696 wrote to memory of 1704	1696	cmd.exe	52
PID 1696 wrote to memory of 1704	1696	cmd.exe	52
PID 1696 wrote to memory of 1704	1696	cmd.exe	52
PID 1696 wrote to memory of 1288	1696	cmd.exe	53
PID 1696 wrote to memory of 1288	1696	cmd.exe	53
PID 1696 wrote to memory of 1288	1696	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3052
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2056
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\dRxIvn2qhyE2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2780
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2936
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K12xVlmPt1lX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1744
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9UvpQHEpMFSd.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9UvpQHEpMFSd.bat

Filesize
207B

MD5
2b20a3ac03a81a56cf27f143b5a43379

SHA1
76b7058d1d281b2d636f2847a493d0a1d64ceeb2

SHA256
3e658abadc9ecd3a8d2fff5628ebb9aadef5856b26ae107b804a5f63f66887d6

SHA512
d76e697f6bf7d12667c967d656f4f255c608028a5af1cfd9cb75ad96a1c75d919eb381fb0125752a3ce86fe99df29259babedc683693dfaa88669aaf76ab1dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\K12xVlmPt1lX.bat

Filesize
207B

MD5
ed5a8954648349c5e41c640973d458c1

SHA1
455aa2ea704809e7e7a738f5578b3f20364109ff

SHA256
47e0ed9f9b711e3f811ae13dd7053582b101dfd045e2ec9ac705f98e91bacd69

SHA512
7bdca843f40dbd8d8b26d7c58b0f06d1f155350f42b271a189d8af5aa00382287da43e8b0847db594e9158bd15d11409fee2e226c8475b9ec9b59c63f4b81b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dRxIvn2qhyE2.bat

Filesize
207B

MD5
95f7c7234ee162e3c7e0b83a554fe5d4

SHA1
0a7d24319f2149e08e421ff5d09cfba4ee6a1663

SHA256
95104038ec0bc1a8c3d2e4f4f76e3dbf7dd7ede083f94474e3de2920e46d73e1

SHA512
c025293062f595333c87f6a2993454f46d7c9b280bf90008a476e3610966c0422c1b720b2a190ee302c97cb8c1f1e6440f8bd4869baa9fc0642bb7d95fc51be8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
e9a138d8c5ab2cccc8bf9976f66d30c8

SHA1
e996894168f0d4e852162d1290250dfa986310f8

SHA256
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3

SHA512
5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

Download Submit
memory/688-33-0x0000000000350000-0x0000000000674000-memory.dmp

Filesize
3.1MB

Download
memory/2636-9-0x00000000013B0000-0x00000000016D4000-memory.dmp

Filesize
3.1MB

Download
memory/2636-11-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2636-21-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2636-8-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2968-10-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-1-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download