quasar | 79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71

Analysis

max time kernel
33s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-01-2025 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddnstest.exe
Size

3.1MB
MD5

0b301a943083061bb0e95c688ad02dcf
SHA1

b26d04fcad24a618a422ae156774218d42538d88
SHA256

79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71
SHA512

58e8fa3c6dd985d89fa2cd6a6f91ce87929165cee9d85b0fb1cbb70cfb33053567a333464da804ee7cee80f33bb5b065de4817812b114b9c7dbe5ef60e6ab923
SSDEEP

49152:avyI22SsaNYfdPBldt698dBcjHF2tjmzeEoGdzTHHB72eh2NT:avf22SsaNYfdPBldt6+dBcjHF2te

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hiimbob.ddnsking.com:9112

Mutex

91f1b164-f669-47a1-b3ec-59976d66b33a

Attributes

encryption_key
FD9ED3A6AE6574CE5C854385C6AC2FC432580344
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4956-1-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	ddnstest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	ddnstest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	ddnstest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	ddnstest.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2876	PING.EXE
4376	PING.EXE
960	PING.EXE
1276	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2876	PING.EXE
4376	PING.EXE
960	PING.EXE
1276	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	ddnstest.exe
Token: SeDebugPrivilege	2000	ddnstest.exe
Token: SeDebugPrivilege	3088	ddnstest.exe
Token: SeDebugPrivilege	1680	ddnstest.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4956	ddnstest.exe
2000	ddnstest.exe
3088	ddnstest.exe
1680	ddnstest.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4956	ddnstest.exe
2000	ddnstest.exe
3088	ddnstest.exe
1680	ddnstest.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4064	4956	ddnstest.exe	84
PID 4956 wrote to memory of 4064	4956	ddnstest.exe	84
PID 4064 wrote to memory of 3316	4064	cmd.exe	86
PID 4064 wrote to memory of 3316	4064	cmd.exe	86
PID 4064 wrote to memory of 2876	4064	cmd.exe	87
PID 4064 wrote to memory of 2876	4064	cmd.exe	87
PID 4064 wrote to memory of 2000	4064	cmd.exe	93
PID 4064 wrote to memory of 2000	4064	cmd.exe	93
PID 2000 wrote to memory of 1748	2000	ddnstest.exe	94
PID 2000 wrote to memory of 1748	2000	ddnstest.exe	94
PID 1748 wrote to memory of 3792	1748	cmd.exe	96
PID 1748 wrote to memory of 3792	1748	cmd.exe	96
PID 1748 wrote to memory of 4376	1748	cmd.exe	97
PID 1748 wrote to memory of 4376	1748	cmd.exe	97
PID 1748 wrote to memory of 3088	1748	cmd.exe	100
PID 1748 wrote to memory of 3088	1748	cmd.exe	100
PID 3088 wrote to memory of 1672	3088	ddnstest.exe	101
PID 3088 wrote to memory of 1672	3088	ddnstest.exe	101
PID 1672 wrote to memory of 924	1672	cmd.exe	103
PID 1672 wrote to memory of 924	1672	cmd.exe	103
PID 1672 wrote to memory of 960	1672	cmd.exe	104
PID 1672 wrote to memory of 960	1672	cmd.exe	104
PID 1672 wrote to memory of 1680	1672	cmd.exe	106
PID 1672 wrote to memory of 1680	1672	cmd.exe	106
PID 1680 wrote to memory of 4516	1680	ddnstest.exe	107
PID 1680 wrote to memory of 4516	1680	ddnstest.exe	107
PID 4516 wrote to memory of 4052	4516	cmd.exe	109
PID 4516 wrote to memory of 4052	4516	cmd.exe	109
PID 4516 wrote to memory of 1276	4516	cmd.exe	110
PID 4516 wrote to memory of 1276	4516	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
"C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pe5ODO5SMW7e.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3316
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
    "C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y7E0xbNS7Feo.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3792
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1nG0t03Qp4DJ.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9PewqT71uEe0.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ddnstest.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nG0t03Qp4DJ.bat

Filesize
205B

MD5
8f52f01be6ec9dad44aa44c70bf0be1d

SHA1
a6de9db10294dea090b5384205c9178f65fe79b7

SHA256
70bcbb33aad617703922ee3edbb126d12ac2d3d3e7bff60b95e9bc290fd7f2af

SHA512
5f9f04e08ffcbdb975b61268c1915a9a792807f96111ebae1ae1a40a0d2024b2be34644f1da4023bbfb9ea2ec9e919fa3c8ad938ae601b907f8caf35c944a364

Download Submit
C:\Users\Admin\AppData\Local\Temp\9PewqT71uEe0.bat

Filesize
205B

MD5
0fd08e0105a6f4220fbd1b7f1a3dad31

SHA1
d4cf93d80ce8721aaf12d054aab377827dfa7720

SHA256
ed11a613de50d43f31d81b6177c83d6959075eb508f8d620c3f6601b2ece5f34

SHA512
c8b311ea2c5e0b600204fae685aae98fddedea86f9eced8910bc7a398739dfcefd72bda3c766c6b3feace1683b3af4b1a2c1c7156ad12ac3d998a15056462a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pe5ODO5SMW7e.bat

Filesize
205B

MD5
89c2d04a4048510c9092e9f0acb214c1

SHA1
09bbfcc50671def2a87c14433d5368b52fdfa210

SHA256
4f307ac2aa4454867ddee8a775cd1a867acf6b3fb1f69622a51eafe2786f2c8f

SHA512
26ef042be0c586e52cb43d0e2951a2faa4d428a4c68235e406f37b7daf7ca8472102535feda8a8862d905105e9292a059d9b0c64a5cd02b4cf180a889cb09c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7E0xbNS7Feo.bat

Filesize
205B

MD5
af4ad2c1a041c4a8660cfe53447cde08

SHA1
6890fd3c310ebcc459b4d374eb3e9947f30d3389

SHA256
25cb5869a341f1adf5b0280bd9ed04ef89b4d0ddf17de3ea9feb94aab39c04bb

SHA512
f32c0bbd29a77810f825b57cc81dc68dc020e7414827cb525f850831d90e4422738e142b5f709d547d505cfe9e93e94b6c7fb00a6f9286eb5024622acd10dd58

Download Submit
memory/2000-22-0x00007FFE2B900000-0x00007FFE2C3C2000-memory.dmp

Filesize
10.8MB

Download
memory/2000-15-0x00007FFE2B900000-0x00007FFE2C3C2000-memory.dmp

Filesize
10.8MB

Download
memory/4956-3-0x000000001C4B0000-0x000000001C500000-memory.dmp

Filesize
320KB

Download
memory/4956-12-0x00007FFE2C390000-0x00007FFE2CE52000-memory.dmp

Filesize
10.8MB

Download
memory/4956-4-0x000000001C5C0000-0x000000001C672000-memory.dmp

Filesize
712KB

Download
memory/4956-0-0x00007FFE2C393000-0x00007FFE2C395000-memory.dmp

Filesize
8KB

Download
memory/4956-2-0x00007FFE2C390000-0x00007FFE2CE52000-memory.dmp

Filesize
10.8MB

Download
memory/4956-1-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download