quasar | 033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

Analysis

max time kernel
29s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

82222cff36f2c338159b23a7f18a4815
SHA1

8beccbb99e38248a080d5de1de8d87617ca428c2
SHA256

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
SHA512

ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55
SSDEEP

49152:qUd1/DM2zv8aMlqCPwln5+Hjdh+EuvQ1VeiroGnGTHHB72eh2NTe:qUPrM2zEaMlqCPwln5+Ddh+Zvus

Score

10^/10

quasar rat1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2092-1-0x00000000013D0000-0x00000000016F4000-memory.dmp	family_quasar
behavioral1/files/0x000d000000016fc9-5.dat	family_quasar
behavioral1/memory/2196-8-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar
behavioral1/memory/1916-22-0x0000000001070000-0x0000000001394000-memory.dmp	family_quasar
behavioral1/memory/2716-33-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2196	System32.exe
1916	System32.exe
2716	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2224	PING.EXE
520	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2224	PING.EXE
520	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe
2960	schtasks.exe
3024	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	Client-built.exe
Token: SeDebugPrivilege	2196	System32.exe
Token: SeDebugPrivilege	1916	System32.exe
Token: SeDebugPrivilege	2716	System32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2820	2092	Client-built.exe	30
PID 2092 wrote to memory of 2820	2092	Client-built.exe	30
PID 2092 wrote to memory of 2820	2092	Client-built.exe	30
PID 2092 wrote to memory of 2196	2092	Client-built.exe	32
PID 2092 wrote to memory of 2196	2092	Client-built.exe	32
PID 2092 wrote to memory of 2196	2092	Client-built.exe	32
PID 2196 wrote to memory of 2960	2196	System32.exe	33
PID 2196 wrote to memory of 2960	2196	System32.exe	33
PID 2196 wrote to memory of 2960	2196	System32.exe	33
PID 2196 wrote to memory of 2740	2196	System32.exe	35
PID 2196 wrote to memory of 2740	2196	System32.exe	35
PID 2196 wrote to memory of 2740	2196	System32.exe	35
PID 2740 wrote to memory of 2324	2740	cmd.exe	37
PID 2740 wrote to memory of 2324	2740	cmd.exe	37
PID 2740 wrote to memory of 2324	2740	cmd.exe	37
PID 2740 wrote to memory of 2224	2740	cmd.exe	38
PID 2740 wrote to memory of 2224	2740	cmd.exe	38
PID 2740 wrote to memory of 2224	2740	cmd.exe	38
PID 2740 wrote to memory of 1916	2740	cmd.exe	39
PID 2740 wrote to memory of 1916	2740	cmd.exe	39
PID 2740 wrote to memory of 1916	2740	cmd.exe	39
PID 1916 wrote to memory of 3024	1916	System32.exe	40
PID 1916 wrote to memory of 3024	1916	System32.exe	40
PID 1916 wrote to memory of 3024	1916	System32.exe	40
PID 1916 wrote to memory of 1416	1916	System32.exe	42
PID 1916 wrote to memory of 1416	1916	System32.exe	42
PID 1916 wrote to memory of 1416	1916	System32.exe	42
PID 1416 wrote to memory of 1052	1416	cmd.exe	44
PID 1416 wrote to memory of 1052	1416	cmd.exe	44
PID 1416 wrote to memory of 1052	1416	cmd.exe	44
PID 1416 wrote to memory of 520	1416	cmd.exe	45
PID 1416 wrote to memory of 520	1416	cmd.exe	45
PID 1416 wrote to memory of 520	1416	cmd.exe	45
PID 1416 wrote to memory of 2716	1416	cmd.exe	46
PID 1416 wrote to memory of 2716	1416	cmd.exe	46
PID 1416 wrote to memory of 2716	1416	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2820
- C:\Users\Admin\AppData\Roaming\System32\System32.exe
  "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2960
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\I35rYtSiqxSv.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2324
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2224
  - - C:\Users\Admin\AppData\Roaming\System32\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FTSxiF5UYTtb.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1052
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:520
      - C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FTSxiF5UYTtb.bat

Filesize
211B

MD5
fc2cc0f013e4561a126cc8ea66387f3a

SHA1
79c78f5c3d01c4b4c22aba4cf7eaeb816bd653ac

SHA256
da9d293573babc1127090c461460ba80353fd1c1b7671ac2e6bf27e1c11c6bdb

SHA512
216a3538a7a8963ffe41f83d99d89dcd1ad4ea06699145cc26cde232469c718ef2edfbdbb84b02a4580ccd8ab10e325867f97fa4a53688c048cf8fe2670ec1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\I35rYtSiqxSv.bat

Filesize
211B

MD5
7204636869d48d1ab2c8de335cf91332

SHA1
6443dcab28b41d0e562ecd8bc65129a5222b02ce

SHA256
2ca9f1e29feb8e964a405136a797b90e3604bfa1531bb960b6cf35f1e4c96f71

SHA512
9adbf44ad4e1706ac7e64e054183f5500c4409942b05dadbb7ab7d52df5fad7bf28893d2cbfe3cba759c87dd21a4ebdb46f620b5b15b0a1f80189f9f4fd10051

Download Submit
C:\Users\Admin\AppData\Roaming\System32\System32.exe

Filesize
3.1MB

MD5
82222cff36f2c338159b23a7f18a4815

SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2

SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55

Download Submit
memory/1916-22-0x0000000001070000-0x0000000001394000-memory.dmp

Filesize
3.1MB

Download
memory/2092-9-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2092-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-1-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/2196-8-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/2196-10-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-7-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-20-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-33-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads