quasar | 55fd96a344bf6ccbf74dc7408f77f1080158fc2a0a20903b20e77a9cee2983d1

Resubmissions

11/01/2025, 19:05

250111-xrgf9aynhl 10

Analysis

max time kernel
46s
max time network
48s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11/01/2025, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xenonew.exe
Size

3.1MB
MD5

2d60a76ce3357eecb47f10d21ba01fb0
SHA1

1798a8dee078e7bd72296e79bbd2c2061d584fd7
SHA256

55fd96a344bf6ccbf74dc7408f77f1080158fc2a0a20903b20e77a9cee2983d1
SHA512

184f946295c7669f46a8fb878cb68bea943ed09c74cbd3588d4d7572295668edc8ba098f4e8c2deb21977d08ecc4b1f8e34376c4bb3074073e889864f04852e8
SSDEEP

49152:fvelL26AaNeWgPhlmVqvMQ7XSK1NRJ6XbR3LoGduTHHB72eh2NT:fvOL26AaNeWgPhlmVqkQ7XSK1NRJ6p

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

augustinevegas-31173.portmap.host:31173

Mutex

7d74883a-5879-4f61-8c23-fc7af453d7c2

Attributes

encryption_key
0B6DCD2BE4C82058601AFDA4AB9525FABE85A71D
install_name
Client.exe
log_directory
Logs
reconnect_delay
1
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2552-1-0x0000000000F40000-0x0000000001264000-memory.dmp	family_quasar
behavioral1/files/0x00290000000450d6-3.dat	family_quasar

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 5 IoCs

pid	Process
4000	Client.exe
816	Client.exe
6120	Client.exe
648	Client.exe
2772	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2364	PING.EXE
3152	PING.EXE
5492	PING.EXE
1824	PING.EXE
780	PING.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
5492	PING.EXE
1824	PING.EXE
780	PING.EXE
2364	PING.EXE
3152	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2556	schtasks.exe
5752	schtasks.exe
5116	schtasks.exe
1368	schtasks.exe
6076	schtasks.exe
4444	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	xenonew.exe
Token: SeDebugPrivilege	4000	Client.exe
Token: SeDebugPrivilege	816	Client.exe
Token: SeDebugPrivilege	6120	Client.exe
Token: SeDebugPrivilege	648	Client.exe
Token: SeDebugPrivilege	2772	Client.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4000	Client.exe
816	Client.exe
6120	Client.exe
648	Client.exe
2772	Client.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4000	Client.exe
816	Client.exe
6120	Client.exe
648	Client.exe
2772	Client.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 5752	2552	xenonew.exe	81
PID 2552 wrote to memory of 5752	2552	xenonew.exe	81
PID 2552 wrote to memory of 4000	2552	xenonew.exe	83
PID 2552 wrote to memory of 4000	2552	xenonew.exe	83
PID 4000 wrote to memory of 5116	4000	Client.exe	85
PID 4000 wrote to memory of 5116	4000	Client.exe	85
PID 4000 wrote to memory of 5152	4000	Client.exe	87
PID 4000 wrote to memory of 5152	4000	Client.exe	87
PID 5152 wrote to memory of 5164	5152	cmd.exe	89
PID 5152 wrote to memory of 5164	5152	cmd.exe	89
PID 5152 wrote to memory of 1824	5152	cmd.exe	90
PID 5152 wrote to memory of 1824	5152	cmd.exe	90
PID 5152 wrote to memory of 816	5152	cmd.exe	95
PID 5152 wrote to memory of 816	5152	cmd.exe	95
PID 816 wrote to memory of 1368	816	Client.exe	96
PID 816 wrote to memory of 1368	816	Client.exe	96
PID 816 wrote to memory of 4764	816	Client.exe	98
PID 816 wrote to memory of 4764	816	Client.exe	98
PID 4764 wrote to memory of 5460	4764	cmd.exe	100
PID 4764 wrote to memory of 5460	4764	cmd.exe	100
PID 4764 wrote to memory of 780	4764	cmd.exe	101
PID 4764 wrote to memory of 780	4764	cmd.exe	101
PID 4764 wrote to memory of 6120	4764	cmd.exe	105
PID 4764 wrote to memory of 6120	4764	cmd.exe	105
PID 6120 wrote to memory of 6076	6120	Client.exe	106
PID 6120 wrote to memory of 6076	6120	Client.exe	106
PID 6120 wrote to memory of 2400	6120	Client.exe	108
PID 6120 wrote to memory of 2400	6120	Client.exe	108
PID 2400 wrote to memory of 2268	2400	cmd.exe	110
PID 2400 wrote to memory of 2268	2400	cmd.exe	110
PID 2400 wrote to memory of 2364	2400	cmd.exe	111
PID 2400 wrote to memory of 2364	2400	cmd.exe	111
PID 2400 wrote to memory of 648	2400	cmd.exe	113
PID 2400 wrote to memory of 648	2400	cmd.exe	113
PID 648 wrote to memory of 4444	648	Client.exe	114
PID 648 wrote to memory of 4444	648	Client.exe	114
PID 648 wrote to memory of 5780	648	Client.exe	116
PID 648 wrote to memory of 5780	648	Client.exe	116
PID 5780 wrote to memory of 5912	5780	cmd.exe	118
PID 5780 wrote to memory of 5912	5780	cmd.exe	118
PID 5780 wrote to memory of 3152	5780	cmd.exe	119
PID 5780 wrote to memory of 3152	5780	cmd.exe	119
PID 5780 wrote to memory of 2772	5780	cmd.exe	120
PID 5780 wrote to memory of 2772	5780	cmd.exe	120
PID 2772 wrote to memory of 2556	2772	Client.exe	121
PID 2772 wrote to memory of 2556	2772	Client.exe	121
PID 2772 wrote to memory of 5848	2772	Client.exe	123
PID 2772 wrote to memory of 5848	2772	Client.exe	123
PID 5848 wrote to memory of 1544	5848	cmd.exe	125
PID 5848 wrote to memory of 1544	5848	cmd.exe	125
PID 5848 wrote to memory of 5492	5848	cmd.exe	126
PID 5848 wrote to memory of 5492	5848	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xenonew.exe
"C:\Users\Admin\AppData\Local\Temp\xenonew.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5752
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmDkZbVHb5UL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5152
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5164
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1824
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\79qEkuy0CWC1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5460
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:780
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:6120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3wzuQpyvq9IZ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zr3Bw9guLct5.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3152
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c4CGrmN13xA0.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wzuQpyvq9IZ.bat

Filesize
207B

MD5
7b330c470ff02accacddd69dd2338ea8

SHA1
6eff3481a0b6e88fa08df5f1e651c5322e1922ce

SHA256
648a5c5df8a6a117923d993f23cd4dcd523e9d65b12e5967321bc3d07f5b7f5e

SHA512
c5f1d553c8a53ae7769e02586f8e0031e392632ef3cc2e27988de6ed65b2f518b3964c286233ea91cafbb2b54578b423b917e36cc95586908412a690c39625c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\79qEkuy0CWC1.bat

Filesize
207B

MD5
7cb6db31f9b7f802b3bb5ce4f5719dcd

SHA1
cead6ee9a4c4b65421b3520096e2bcc8a2d57f88

SHA256
61da2d22c4dcbeaab01170a5c371b3f68a4fcf12f73ac8baf490318ba087b5cc

SHA512
941e6b54971afce393bf279cdb6ba57361c7df784a6871482ac993b9c6dd272c03b22ce8c58e2a3e5b810f97337239e33cf8ef56298a9a900ee419bf16fe42d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmDkZbVHb5UL.bat

Filesize
207B

MD5
c1d9cea559d4ef18c8762ba44284e5bf

SHA1
d14b882b3cd4d0fde8a026d19a270991478ef0cb

SHA256
221a1e924cf98b5a306c622e05a42565cc822e2232a4343670037de4e38a5e63

SHA512
6c1323c9c45d6e46e5c6b5b5ce7ee7d1e7e6b2a774369c2582e594639552531baa0db498ea83fa88e9341634ef68719339e368dbf0340b8251c03e0b761b7947

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4CGrmN13xA0.bat

Filesize
207B

MD5
e0cd21d212f701b9ac17eef296b9c8e5

SHA1
02c2ac3174b47d838ddb8488bbc1d28bfe76ef99

SHA256
35c20a54e20feffe20a06d9d948ea0bbe1ddd19aa039e0371043016c8771c524

SHA512
7ecc324f3e98312de9c463b99436a4fd9cb0590515b606c7fcac5f7987f1d9d3534c451c15249c45c16eecadaaa32a41ec19eea9e32dcfa095e4a719372788e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zr3Bw9guLct5.bat

Filesize
207B

MD5
718bbbe2608922e759b9d604ef4db457

SHA1
1f09e48791e7f0b947cc28291ac2afed3e3a5241

SHA256
d3ffff972ad643fd2240969bfd5b2d5392c649d41d3a2d5f9cbbafc1b4772c48

SHA512
95294caf6f0630e97db47fbd27c479887e320ceb62b868ce65d50f1cda1a4054373c67e8b3f603b20cb0d5892e5a13dcb392b9a53d039153e6d1c0ba833e1ef7

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
2d60a76ce3357eecb47f10d21ba01fb0

SHA1
1798a8dee078e7bd72296e79bbd2c2061d584fd7

SHA256
55fd96a344bf6ccbf74dc7408f77f1080158fc2a0a20903b20e77a9cee2983d1

SHA512
184f946295c7669f46a8fb878cb68bea943ed09c74cbd3588d4d7572295668edc8ba098f4e8c2deb21977d08ecc4b1f8e34376c4bb3074073e889864f04852e8

Download Submit
memory/2552-1-0x0000000000F40000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/2552-2-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/2552-0-0x00007FFBCCB73000-0x00007FFBCCB75000-memory.dmp

Filesize
8KB

Download
memory/2552-6-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/4000-5-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/4000-17-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/4000-9-0x000000001D0F0000-0x000000001D1A2000-memory.dmp

Filesize
712KB

Download
memory/4000-8-0x000000001CFE0000-0x000000001D030000-memory.dmp

Filesize
320KB

Download
memory/4000-7-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads