quasar | 9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DriverHost.exe
Size

3.1MB
MD5

be32c281194c0a859cca202a418a16a3
SHA1

e2c3885c8bc9b24b492f68a2c69ebf0c488abebc
SHA256

9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36
SHA512

541266a8f6b23b74d40c9d2656adb963c92ed5f8f2f239aa472649958f934f29a37afd42dfe27e9dfc2991c529dc949bffb6766223593c9ff7418778ad9bd36f
SSDEEP

49152:HvnlL26AaNeWgPhlmVqvMQ7XSKKzDKkCWZLoGAVATHHB72eh2NT:HvlL26AaNeWgPhlmVqkQ7XSKKzDjp

Score

10^/10

quasar driver host spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Driver Host

VisoXC-59263.portmap.host:59263

Mutex

80b8889c-1e9f-4330-a95e-a3d9faf3bfc4

Attributes

encryption_key
C1589EF424F77018CD488E8307C8C1DF199C8A42
install_name
driverhost32.exe
log_directory
Driver Logs
reconnect_delay
3000
startup_key
driverhost32
subdirectory
Driver Host

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2548-1-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b82-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
5076	driverhost32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
316	schtasks.exe
1800	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	DriverHost.exe
Token: SeDebugPrivilege	5076	driverhost32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5076	driverhost32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 316	2548	DriverHost.exe	82
PID 2548 wrote to memory of 316	2548	DriverHost.exe	82
PID 2548 wrote to memory of 5076	2548	DriverHost.exe	84
PID 2548 wrote to memory of 5076	2548	DriverHost.exe	84
PID 5076 wrote to memory of 1800	5076	driverhost32.exe	85
PID 5076 wrote to memory of 1800	5076	driverhost32.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DriverHost.exe
"C:\Users\Admin\AppData\Local\Temp\DriverHost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "driverhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:316
- C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe
  "C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "driverhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe

Filesize
3.1MB

MD5
be32c281194c0a859cca202a418a16a3

SHA1
e2c3885c8bc9b24b492f68a2c69ebf0c488abebc

SHA256
9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36

SHA512
541266a8f6b23b74d40c9d2656adb963c92ed5f8f2f239aa472649958f934f29a37afd42dfe27e9dfc2991c529dc949bffb6766223593c9ff7418778ad9bd36f

Download Submit
memory/2548-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/2548-1-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/2548-2-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/2548-8-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5076-9-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5076-10-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5076-11-0x000000001BCF0000-0x000000001BD40000-memory.dmp

Filesize
320KB

Download
memory/5076-12-0x000000001DE30000-0x000000001DEE2000-memory.dmp

Filesize
712KB

Download
memory/5076-13-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads