quasar | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 | Triage

Analysis

max time kernel
23s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-12-2024 15:14

Sharing

Report Analysis Logs

General

Target

Loader.exe
Size

3.1MB
MD5

e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1

e996894168f0d4e852162d1290250dfa986310f8
SHA256

e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512

5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc
SSDEEP

49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Dystopian-62863.portmap.host:62863

Mutex

e1de8f9b-5a7a-4798-a6fb-c03591ef3442

Attributes

encryption_key
8C1BB32BFD240218BA0CB04D65341FB1FDE1E001
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SubStart
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral4/memory/4784-1-0x0000000000AA0000-0x0000000000DC4000-memory.dmp	family_quasar
behavioral4/files/0x004000000002aae2-6.dat	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2072	Client.exe
2420	Client.exe
3700	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

pid	Process
3284	PING.EXE
4988	PING.EXE
1608	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

pid	Process
4988	PING.EXE
1608	PING.EXE
3284	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3144	schtasks.exe
4956	schtasks.exe
4948	schtasks.exe
4280	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	Loader.exe
Token: SeDebugPrivilege	2072	Client.exe
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	3700	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2072	Client.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3144	4784	Loader.exe	77
PID 4784 wrote to memory of 3144	4784	Loader.exe	77
PID 4784 wrote to memory of 2072	4784	Loader.exe	79
PID 4784 wrote to memory of 2072	4784	Loader.exe	79
PID 2072 wrote to memory of 4956	2072	Client.exe	80
PID 2072 wrote to memory of 4956	2072	Client.exe	80
PID 2072 wrote to memory of 332	2072	Client.exe	82
PID 2072 wrote to memory of 332	2072	Client.exe	82
PID 332 wrote to memory of 1644	332	cmd.exe	84
PID 332 wrote to memory of 1644	332	cmd.exe	84
PID 332 wrote to memory of 3284	332	cmd.exe	85
PID 332 wrote to memory of 3284	332	cmd.exe	85
PID 332 wrote to memory of 2420	332	cmd.exe	86
PID 332 wrote to memory of 2420	332	cmd.exe	86
PID 2420 wrote to memory of 4948	2420	Client.exe	87
PID 2420 wrote to memory of 4948	2420	Client.exe	87
PID 2420 wrote to memory of 4812	2420	Client.exe	89
PID 2420 wrote to memory of 4812	2420	Client.exe	89
PID 4812 wrote to memory of 1256	4812	cmd.exe	91
PID 4812 wrote to memory of 1256	4812	cmd.exe	91
PID 4812 wrote to memory of 4988	4812	cmd.exe	92
PID 4812 wrote to memory of 4988	4812	cmd.exe	92
PID 4812 wrote to memory of 3700	4812	cmd.exe	93
PID 4812 wrote to memory of 3700	4812	cmd.exe	93
PID 3700 wrote to memory of 4280	3700	Client.exe	94
PID 3700 wrote to memory of 4280	3700	Client.exe	94
PID 3700 wrote to memory of 632	3700	Client.exe	96
PID 3700 wrote to memory of 632	3700	Client.exe	96
PID 632 wrote to memory of 3784	632	cmd.exe	98
PID 632 wrote to memory of 3784	632	cmd.exe	98
PID 632 wrote to memory of 1608	632	cmd.exe	99
PID 632 wrote to memory of 1608	632	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3144
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyqEV1lpEdGS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1644
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3284
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ui75tW5Oxqes.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1256
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4988
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGBhWB2VzJm6.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGBhWB2VzJm6.bat

Filesize
207B

MD5
fb9e3b3774f773fe4aebaf09b6434289

SHA1
c975f3f97f06728099d7830ee3cec99c0c2d217a

SHA256
eaca7c3142348011a7929a6d3fd1008809e8d35312cb83d32483cee61d6bf8c2

SHA512
f28ad2b09af6419524fcf85b115cdef600ac442fbd477644b50d56c1da03c3d7aa5fb233bee919e2ddadd2cc3a18389b7f2aa183c9eb605656ca443a6e284cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ui75tW5Oxqes.bat

Filesize
207B

MD5
970efd01cccf5ac9f8f41793a392515f

SHA1
79d91e9c4342b099e6afce6aed90aa3d2ca51ef8

SHA256
889c6005d71191cdd35097dd972ba3907a5d4b0cf9395ad7458e0467baf31b7d

SHA512
30adc0ce3603a0c1dca7503c748c445f828ef1bd66fb6bc0d43e346805f41b709826bf72e6a4b9ab44a9cf43b5d2a32946adfb9a864efd1021982a239f55dd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyqEV1lpEdGS.bat

Filesize
207B

MD5
b73a56fe6ab71a579955560c5f416898

SHA1
6360bf6f1785ee4ecf1409ff181e5c34b905373d

SHA256
9d3f2a574073328a66838146debf9c4f06a163312a2265f82fd06803e7c5daf9

SHA512
cfe6df904e66bd7d354f970fb568c7964ecc7052ceec2ed9d7cd849522a46aa1c1960dba892791d7ee185fb3e522079fc211b88f37ffa8d61406bb6ea169220b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
e9a138d8c5ab2cccc8bf9976f66d30c8

SHA1
e996894168f0d4e852162d1290250dfa986310f8

SHA256
e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3

SHA512
5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc

Download Submit
memory/2072-11-0x00007FFF71D20000-0x00007FFF727E2000-memory.dmp

Filesize
10.8MB

Download
memory/2072-12-0x000000001B0B0000-0x000000001B100000-memory.dmp

Filesize
320KB

Download
memory/2072-13-0x000000001B8E0000-0x000000001B992000-memory.dmp

Filesize
712KB

Download
memory/2072-18-0x00007FFF71D20000-0x00007FFF727E2000-memory.dmp

Filesize
10.8MB

Download
memory/2072-10-0x00007FFF71D20000-0x00007FFF727E2000-memory.dmp

Filesize
10.8MB

Download
memory/4784-0-0x00007FFF71D23000-0x00007FFF71D25000-memory.dmp

Filesize
8KB

Download
memory/4784-9-0x00007FFF71D20000-0x00007FFF727E2000-memory.dmp

Filesize
10.8MB

Download
memory/4784-2-0x00007FFF71D20000-0x00007FFF727E2000-memory.dmp

Filesize
10.8MB

Download
memory/4784-1-0x0000000000AA0000-0x0000000000DC4000-memory.dmp

Filesize
3.1MB

Download