quasar | 79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71 | Triage

Analysis

max time kernel
22s
max time network
3s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-01-2025 16:29

Sharing

Report Analysis Logs

General

Target

ddnstest.exe
Size

3.1MB
MD5

0b301a943083061bb0e95c688ad02dcf
SHA1

b26d04fcad24a618a422ae156774218d42538d88
SHA256

79b2e8bd0d46901502869063962252c0b80b77ff909f1e497bf4c04ae2f0ec71
SHA512

58e8fa3c6dd985d89fa2cd6a6f91ce87929165cee9d85b0fb1cbb70cfb33053567a333464da804ee7cee80f33bb5b065de4817812b114b9c7dbe5ef60e6ab923
SSDEEP

49152:avyI22SsaNYfdPBldt698dBcjHF2tjmzeEoGdzTHHB72eh2NT:avf22SsaNYfdPBldt6+dBcjHF2te

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

hiimbob.ddnsking.com:9112

Mutex

91f1b164-f669-47a1-b3ec-59976d66b33a

Attributes

encryption_key
FD9ED3A6AE6574CE5C854385C6AC2FC432580344
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2512-1-0x0000000000480000-0x00000000007A4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

pid	Process
2428	PING.EXE
4536	PING.EXE
2000	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

pid	Process
4536	PING.EXE
2000	PING.EXE
2428	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	ddnstest.exe
Token: SeDebugPrivilege	328	ddnstest.exe
Token: SeDebugPrivilege	3728	ddnstest.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2512	ddnstest.exe
328	ddnstest.exe
3728	ddnstest.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2512	ddnstest.exe
328	ddnstest.exe
3728	ddnstest.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3928	2512	ddnstest.exe	79
PID 2512 wrote to memory of 3928	2512	ddnstest.exe	79
PID 3928 wrote to memory of 3604	3928	cmd.exe	81
PID 3928 wrote to memory of 3604	3928	cmd.exe	81
PID 3928 wrote to memory of 2428	3928	cmd.exe	82
PID 3928 wrote to memory of 2428	3928	cmd.exe	82
PID 3928 wrote to memory of 328	3928	cmd.exe	83
PID 3928 wrote to memory of 328	3928	cmd.exe	83
PID 328 wrote to memory of 5092	328	ddnstest.exe	84
PID 328 wrote to memory of 5092	328	ddnstest.exe	84
PID 5092 wrote to memory of 724	5092	cmd.exe	86
PID 5092 wrote to memory of 724	5092	cmd.exe	86
PID 5092 wrote to memory of 4536	5092	cmd.exe	87
PID 5092 wrote to memory of 4536	5092	cmd.exe	87
PID 5092 wrote to memory of 3728	5092	cmd.exe	88
PID 5092 wrote to memory of 3728	5092	cmd.exe	88
PID 3728 wrote to memory of 3092	3728	ddnstest.exe	89
PID 3728 wrote to memory of 3092	3728	ddnstest.exe	89
PID 3092 wrote to memory of 2860	3092	cmd.exe	91
PID 3092 wrote to memory of 2860	3092	cmd.exe	91
PID 3092 wrote to memory of 2000	3092	cmd.exe	92
PID 3092 wrote to memory of 2000	3092	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
"C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yJbVJUrs05EW.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3604
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
    "C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCOWdKk0NYP6.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:724
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\ddnstest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ddnstest.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74IzNIhEvjgw.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ddnstest.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\74IzNIhEvjgw.bat

Filesize
205B

MD5
79333e72c1dedc9490e5d5d07481743c

SHA1
93f161f7cc63dd6fe8f7472c24ed0894ab102c0c

SHA256
68584ee19d61eb37cd5c15c55c710d49472901764fa7fec20f92399d5388598a

SHA512
950877eb955b51a974b76a661f78d633fa9ee4e0298f5d5dc61f6ba5ad1d677d1f113f9c279c8019aaf851ff033a6cb7465d1b74eb41fd52ecd088a933fa9d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCOWdKk0NYP6.bat

Filesize
205B

MD5
de39f0f9dd1fed7230f871388f2b54f1

SHA1
6922ea0ae30a50f3819ee9fe4f5b9cdb32365da0

SHA256
e3c46324e6bcf50adbfc8979189103146402b20026fddb1332da6b43a095c56e

SHA512
8f5b13db8d0f6992f6ee7f27f4d25d4e5a78e0aa558396dfb02938be71c13b8872f557fde0ff626422e9e99c238e14c71f9a43badb02b2b94687c335733c6ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJbVJUrs05EW.bat

Filesize
205B

MD5
4fbc92c959ae7c676e448041412ead80

SHA1
d63433fbe70e89a29955d58878c07b5153cb3ff0

SHA256
f9d2b98a772859be2194e5a84578957d7caa8772eb293419daa834c80e4cfd06

SHA512
6f5684e7724bee86e89e8d90a506014959bda316ec95fa87e957ca49be7bb3b9ebd2d9d67401d6d2e0b759f16cabcdc83d9b531e7e228b00693846f7b86282f9

Download Submit
memory/328-12-0x00007FFC477B0000-0x00007FFC48272000-memory.dmp

Filesize
10.8MB

Download
memory/328-16-0x00007FFC477B0000-0x00007FFC48272000-memory.dmp

Filesize
10.8MB

Download
memory/2512-0-0x00007FFC477B3000-0x00007FFC477B5000-memory.dmp

Filesize
8KB

Download
memory/2512-1-0x0000000000480000-0x00000000007A4000-memory.dmp

Filesize
3.1MB

Download
memory/2512-2-0x00007FFC477B0000-0x00007FFC48272000-memory.dmp

Filesize
10.8MB

Download
memory/2512-3-0x000000001BF00000-0x000000001BF50000-memory.dmp

Filesize
320KB

Download
memory/2512-4-0x000000001C010000-0x000000001C0C2000-memory.dmp

Filesize
712KB

Download
memory/2512-9-0x00007FFC477B0000-0x00007FFC48272000-memory.dmp

Filesize
10.8MB

Download