quasar | 0167056e31996433544969f92a7bd0e79e44c4a56660e9c054b23ef0d707bf23

Analysis

max time kernel
94s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows.exe
Size

3.2MB
MD5

2a2ec1a8ea615248287faf97abd445e5
SHA1

0eea3289dec3fb5c6efa3c09bc65796fd71ffcbf
SHA256

75ed322604b0d21200fce3180cd91a659dfb0f788cc8037e32305054364a90bb
SHA512

0911c8bc8992ec1f36e4be276b59cc285a15fdaf2ad6abc724dbe26de8455bb752bec6d0c8aca6e14be303c6474292d3ce64cd5348be8ba2450a6323138fd30d
SSDEEP

49152:Hv2I22SsaNYfdPBldt698dBcjH8JRJ6BbR3LoGdujTHHB72eh2NT:Hvb22SsaNYfdPBldt6+dBcjH8JRJ6j

Score

10^/10

quasar pedo spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Pedo

82.65.180.207:5986

Mutex

a4c2b814-ab22-4cf2-9f11-52931b6b15b3

Attributes

encryption_key
6A4706C957DF851DA854AED16AB5CE4562B9C4D4
install_name
serv-microsoft.exe
log_directory
Logs
reconnect_delay
4000
startup_key
windows
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4752-1-0x0000000000880000-0x0000000000BB0000-memory.dmp	family_quasar

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3488	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	Windows.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4752	Windows.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3488	4752	Windows.exe	82
PID 4752 wrote to memory of 3488	4752	Windows.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\serv-microsoft.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4752-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4752-1-0x0000000000880000-0x0000000000BB0000-memory.dmp

Filesize
3.2MB

Download
memory/4752-2-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4752-3-0x000000001B700000-0x000000001B750000-memory.dmp

Filesize
320KB

Download
memory/4752-4-0x000000001C0D0000-0x000000001C182000-memory.dmp

Filesize
712KB

Download
memory/4752-7-0x000000001B8D0000-0x000000001B8E2000-memory.dmp

Filesize
72KB

Download
memory/4752-8-0x000000001C050000-0x000000001C08C000-memory.dmp

Filesize
240KB

Download
memory/4752-9-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4752-10-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads