quasar | 79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71

Analysis

max time kernel
99s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddnstest.exe
Size

3.1MB
MD5

0b301a943083061bb0e95c688ad02dcf
SHA1

b26d04fcad24a618a422ae156774218d42538d88
SHA256

79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71
SHA512

58e8fa3c6dd985d89fa2cd6a6f91ce87929165cee9d85b0fb1cbb70cfb33053567a333464da804ee7cee80f33bb5b065de4817812b114b9c7dbe5ef60e6ab923
SSDEEP

49152:avyI22SsaNYfdPBldt698dBcjHF2tjmzeEoGdzTHHB72eh2NT:avf22SsaNYfdPBldt6+dBcjHF2te

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hiimbob.ddnsking.com:9112

Mutex

91f1b164-f669-47a1-b3ec-59976d66b33a

Attributes

encryption_key
FD9ED3A6AE6574CE5C854385C6AC2FC432580344
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2388-1-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ddnstest.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4532	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4532	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	ddnstest.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2388	ddnstest.exe
2388	ddnstest.exe
2388	ddnstest.exe
2388	ddnstest.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2388	ddnstest.exe
2388	ddnstest.exe
2388	ddnstest.exe
2388	ddnstest.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2388	ddnstest.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3080	2388	ddnstest.exe	87
PID 2388 wrote to memory of 3080	2388	ddnstest.exe	87
PID 3080 wrote to memory of 1860	3080	cmd.exe	89
PID 3080 wrote to memory of 1860	3080	cmd.exe	89
PID 3080 wrote to memory of 4532	3080	cmd.exe	90
PID 3080 wrote to memory of 4532	3080	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
"C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sFfeRhxfsAho.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1860
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sFfeRhxfsAho.bat

Filesize
209B

MD5
df233b5f40400f792dbe3bb9028f1e32

SHA1
ba4e18e0dd044885df26ea4fb065136676f4cf89

SHA256
897ecab78a2ef18dbb37586e97e1dfea4f4491918bf192504a4d3c47cbe686a5

SHA512
d01b9e0659ad669b122d2fd96e5144e7183ee6498825b138524d539643f17d13e74671e188b0c9f42c6eeafd0ccb991e6338f3019020c24251f9537dc4511629

Download Submit
memory/2388-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/2388-1-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download
memory/2388-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/2388-3-0x000000001CB10000-0x000000001CB60000-memory.dmp

Filesize
320KB

Download
memory/2388-4-0x000000001CC20000-0x000000001CCD2000-memory.dmp

Filesize
712KB

Download
memory/2388-7-0x000000001CBA0000-0x000000001CBB2000-memory.dmp

Filesize
72KB

Download
memory/2388-8-0x000000001D720000-0x000000001D75C000-memory.dmp

Filesize
240KB

Download
memory/2388-9-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/2388-10-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/2388-15-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download