quasar | 654ce4f50fe3eaa0d41122e8702818808f3b8e047ed603dd8b81ca656bd32066

Analysis

max time kernel
28s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClientX.exe
Size

3.4MB
MD5

12b286770578c1fa0d49fc78f5261bb3
SHA1

93c9e37bcbd6e3e20ed3615f5cd50c0366f4a2fe
SHA256

654ce4f50fe3eaa0d41122e8702818808f3b8e047ed603dd8b81ca656bd32066
SHA512

04fd977eab2fd6ca7cbd90944898e863d1d6a6257b0d55a6fcc267def8e9d62b131b5da69815f5886d0244ebe41189bf9632722b0ea0b3313e2e9a6528b5110d
SSDEEP

49152:TviI22SsaNYfdPBldt698dBcjHHVz+romdwdTHHB72eh2NT:Tvv22SsaNYfdPBldt6+dBcjHHVzQ8

Score

10^/10

quasar clientware spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ClientWare

o0p2e195m0-34052.portmap.host:34052

Mutex

2cf264af-b922-4553-ab2f-ca9a14803d7c

Attributes

encryption_key
822DDA51D07B74A7A6138DEA6477731894D69371
install_name
System.exe
log_directory
Logs
reconnect_delay
2000
startup_key
WindowsData
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3972-1-0x0000000000BD0000-0x0000000000F36000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c87-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3904	System.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Windows	System.exe
File created	C:\Windows\system32\Windows\System.exe	ClientX.exe
File opened for modification	C:\Windows\system32\Windows\System.exe	ClientX.exe
File opened for modification	C:\Windows\system32\Windows	ClientX.exe
File opened for modification	C:\Windows\system32\Windows\System.exe	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1692	schtasks.exe
3012	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	ClientX.exe
Token: SeDebugPrivilege	3904	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3904	System.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1692	3972	ClientX.exe	84
PID 3972 wrote to memory of 1692	3972	ClientX.exe	84
PID 3972 wrote to memory of 3904	3972	ClientX.exe	86
PID 3972 wrote to memory of 3904	3972	ClientX.exe	86
PID 3904 wrote to memory of 3012	3904	System.exe	87
PID 3904 wrote to memory of 3012	3904	System.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ClientX.exe
"C:\Users\Admin\AppData\Local\Temp\ClientX.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsData" /sc ONLOGON /tr "C:\Windows\system32\Windows\System.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1692
- C:\Windows\system32\Windows\System.exe
  "C:\Windows\system32\Windows\System.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsData" /sc ONLOGON /tr "C:\Windows\system32\Windows\System.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Windows\System.exe

Filesize
3.4MB

MD5
12b286770578c1fa0d49fc78f5261bb3

SHA1
93c9e37bcbd6e3e20ed3615f5cd50c0366f4a2fe

SHA256
654ce4f50fe3eaa0d41122e8702818808f3b8e047ed603dd8b81ca656bd32066

SHA512
04fd977eab2fd6ca7cbd90944898e863d1d6a6257b0d55a6fcc267def8e9d62b131b5da69815f5886d0244ebe41189bf9632722b0ea0b3313e2e9a6528b5110d

Download Submit
memory/3904-10-0x00007FF909AE0000-0x00007FF90A5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-11-0x00007FF909AE0000-0x00007FF90A5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-12-0x000000001C3E0000-0x000000001C430000-memory.dmp

Filesize
320KB

Download
memory/3904-13-0x000000001C4F0000-0x000000001C5A2000-memory.dmp

Filesize
712KB

Download
memory/3904-14-0x00007FF909AE0000-0x00007FF90A5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3972-0-0x00007FF909AE3000-0x00007FF909AE5000-memory.dmp

Filesize
8KB

Download
memory/3972-1-0x0000000000BD0000-0x0000000000F36000-memory.dmp

Filesize
3.4MB

Download
memory/3972-2-0x00007FF909AE0000-0x00007FF90A5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3972-9-0x00007FF909AE0000-0x00007FF90A5A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads