quasar | 20e4551dddd4f64d90e97da62dc0befde72128d2b3995e251fb12c734b5c686b

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5JWHT_Client-built.exe
Size

3.1MB
MD5

c94e39405f4ff6b5e5bcd0f221f7602d
SHA1

1ed42e129448fe9c0e078c292b9638747c82c5d7
SHA256

20e4551dddd4f64d90e97da62dc0befde72128d2b3995e251fb12c734b5c686b
SHA512

19f420aca31adf075dfb32897c6efdbd6aa5d1129ee110bd19411e662bb3c0eff40f44dc639a40d3a2a67eb4a3cfd7ee024589caf9604ad439b08d46745cec94
SSDEEP

49152:WvVuf2NUaNmwzPWlvdaKM7ZxTwEjRJ6EbR3LoGdFBCTHHB72eh2NT:Wvgf2NUaNmwzPWlvdaB7ZxTwEjRJ6O

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

138.0.54.91:4782

192.168.3.5:4782

208.67.222.222:4782

Mutex

63563c99-67f3-4d20-8c7f-230c3d970b36

Attributes

encryption_key
E22572FBAE45F5F894074ED475A27E306499B335
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Link
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2368-1-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	5JWHT_Client-built.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2368	5JWHT_Client-built.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2368	5JWHT_Client-built.exe

C:\Users\Admin\AppData\Local\Temp\5JWHT_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\5JWHT_Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2368-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/2368-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-3-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2368-4-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download