quasar | 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
Size

3.6MB
MD5

948d8d109d5498949cb6df8ddf011187
SHA1

a34388517b5d91508739469cfcb99415a0aaeeb3
SHA256

68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422
SHA512

91c910b08a0e7a759211d915ccb3d14b8c5318c3ac7fb0b8d558d4804e569c1ae7317925539e30bf5325f06c2bdc5c3bddeeb425ae37c2800709cbccaa1e4a6a
SSDEEP

49152:7REIID3HchpnsFxF091txtO9fIkT/SvVp241xdbsvhIK7Nj7ktaJA40WQv6JNnqu:7+TIxtO9fIt7xUxkt+A4Nnqy1aaW4

Score

10^/10

quasar code discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

CODE

twart.myfirewall.org:9792

rency.ydns.eu:5287

wqo9.firewall-gateway.de:8841

code1.ydns.eu:5287

wqo9.firewall-gateway.de:9792

Mutex

025351e291-5d1041-4fa37-932c7-869aeiQec514992

Attributes

encryption_key
3145298725BA5E0DD56E87FFE3F8898EA81E6EDA
install_name
Exccelworkbook.exe
log_directory
Logs
reconnect_delay
6000
startup_key
pdfdocument
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1232-11-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4732	Exccelworkbook.exe
4820	Exccelworkbook.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4732 set thread context of 4820	4732	Exccelworkbook.exe	108

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exccelworkbook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exccelworkbook.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1184	schtasks.exe
4124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
Token: SeDebugPrivilege	1232	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
Token: SeDebugPrivilege	4820	Exccelworkbook.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4820	Exccelworkbook.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1716	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	97
PID 4988 wrote to memory of 1716	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	97
PID 4988 wrote to memory of 1716	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	97
PID 4988 wrote to memory of 4604	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	98
PID 4988 wrote to memory of 4604	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	98
PID 4988 wrote to memory of 4604	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	98
PID 4988 wrote to memory of 3860	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	99
PID 4988 wrote to memory of 3860	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	99
PID 4988 wrote to memory of 3860	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	99
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 4988 wrote to memory of 1232	4988	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	100
PID 1232 wrote to memory of 1184	1232	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	101
PID 1232 wrote to memory of 1184	1232	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	101
PID 1232 wrote to memory of 1184	1232	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	101
PID 1232 wrote to memory of 4732	1232	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	103
PID 1232 wrote to memory of 4732	1232	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	103
PID 1232 wrote to memory of 4732	1232	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe	103
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4732 wrote to memory of 4820	4732	Exccelworkbook.exe	108
PID 4820 wrote to memory of 4124	4820	Exccelworkbook.exe	109
PID 4820 wrote to memory of 4124	4820	Exccelworkbook.exe	109
PID 4820 wrote to memory of 4124	4820	Exccelworkbook.exe	109

C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
"C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
  "C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe"
  2⤵
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
  "C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe"
  2⤵
  PID:4604
- C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
  "C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe"
  2⤵
  PID:3860
- C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
  "C:\Users\Admin\AppData\Local\Temp\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1184
- - C:\Users\Admin\AppData\Roaming\SubDir\Exccelworkbook.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Exccelworkbook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Roaming\SubDir\Exccelworkbook.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Exccelworkbook.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Exccelworkbook.exe

Filesize
3.6MB

MD5
948d8d109d5498949cb6df8ddf011187

SHA1
a34388517b5d91508739469cfcb99415a0aaeeb3

SHA256
68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422

SHA512
91c910b08a0e7a759211d915ccb3d14b8c5318c3ac7fb0b8d558d4804e569c1ae7317925539e30bf5325f06c2bdc5c3bddeeb425ae37c2800709cbccaa1e4a6a

Download Submit
memory/1232-11-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1232-22-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1232-15-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1232-13-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4732-23-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4732-24-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4732-28-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4820-36-0x0000000008240000-0x00000000082A6000-memory.dmp

Filesize
408KB

Download
memory/4820-35-0x0000000008190000-0x00000000081CC000-memory.dmp

Filesize
240KB

Download
memory/4820-34-0x0000000008130000-0x0000000008142000-memory.dmp

Filesize
72KB

Download
memory/4820-31-0x0000000006B50000-0x0000000006C02000-memory.dmp

Filesize
712KB

Download
memory/4820-30-0x00000000068E0000-0x0000000006930000-memory.dmp

Filesize
320KB

Download
memory/4820-29-0x0000000006D60000-0x0000000007378000-memory.dmp

Filesize
6.1MB

Download
memory/4988-5-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4988-2-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/4988-1-0x0000000000480000-0x0000000000824000-memory.dmp

Filesize
3.6MB

Download
memory/4988-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/4988-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/4988-4-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/4988-14-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4988-7-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/4988-6-0x0000000006580000-0x000000000659A000-memory.dmp

Filesize
104KB

Download
memory/4988-10-0x000000000C380000-0x000000000C41C000-memory.dmp

Filesize
624KB

Download
memory/4988-9-0x0000000007EC0000-0x0000000008228000-memory.dmp

Filesize
3.4MB

Download
memory/4988-8-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download