quasar | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
59s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

quasar newoffice wenzcordrat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

newoffice

117.18.7.76:3782

Mutex

d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc

Attributes

encryption_key
FD2DE574AF7E363A5304DF85B3475F93A948C103
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes

encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
install_name
WenzCord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral4/memory/4280-20-0x0000000005F40000-0x0000000006264000-memory.dmp	family_quasar
behavioral4/files/0x001b00000002ab1c-37.dat	family_quasar
behavioral4/memory/4120-44-0x0000000000770000-0x0000000000A9A000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4280	qNVQKFyM.exe
4120	WenzCord.exe
2948	ataturk.exe
4788	WenzCord.exe
2024	WenzCord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
8	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qNVQKFyM.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
936	PING.EXE
2872	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
936	PING.EXE
2872	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4420	schtasks.exe
1460	schtasks.exe
4476	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	4363463463464363463463463.exe
Token: SeDebugPrivilege	4280	qNVQKFyM.exe
Token: SeDebugPrivilege	4120	WenzCord.exe
Token: SeDebugPrivilege	4788	WenzCord.exe
Token: SeDebugPrivilege	2024	WenzCord.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4280	qNVQKFyM.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4280	3140	4363463463464363463463463.exe	78
PID 3140 wrote to memory of 4280	3140	4363463463464363463463463.exe	78
PID 3140 wrote to memory of 4280	3140	4363463463464363463463463.exe	78
PID 3140 wrote to memory of 4120	3140	4363463463464363463463463.exe	79
PID 3140 wrote to memory of 4120	3140	4363463463464363463463463.exe	79
PID 3140 wrote to memory of 2948	3140	4363463463464363463463463.exe	80
PID 3140 wrote to memory of 2948	3140	4363463463464363463463463.exe	80
PID 4120 wrote to memory of 4420	4120	WenzCord.exe	81
PID 4120 wrote to memory of 4420	4120	WenzCord.exe	81
PID 4120 wrote to memory of 4788	4120	WenzCord.exe	83
PID 4120 wrote to memory of 4788	4120	WenzCord.exe	83
PID 4788 wrote to memory of 1460	4788	WenzCord.exe	84
PID 4788 wrote to memory of 1460	4788	WenzCord.exe	84
PID 4788 wrote to memory of 2860	4788	WenzCord.exe	86
PID 4788 wrote to memory of 2860	4788	WenzCord.exe	86
PID 2860 wrote to memory of 2136	2860	cmd.exe	88
PID 2860 wrote to memory of 2136	2860	cmd.exe	88
PID 2860 wrote to memory of 936	2860	cmd.exe	89
PID 2860 wrote to memory of 936	2860	cmd.exe	89
PID 2860 wrote to memory of 2024	2860	cmd.exe	90
PID 2860 wrote to memory of 2024	2860	cmd.exe	90
PID 2024 wrote to memory of 4476	2024	WenzCord.exe	91
PID 2024 wrote to memory of 4476	2024	WenzCord.exe	91
PID 2024 wrote to memory of 5064	2024	WenzCord.exe	93
PID 2024 wrote to memory of 5064	2024	WenzCord.exe	93
PID 5064 wrote to memory of 1504	5064	cmd.exe	95
PID 5064 wrote to memory of 1504	5064	cmd.exe	95
PID 5064 wrote to memory of 2872	5064	cmd.exe	96
PID 5064 wrote to memory of 2872	5064	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\Files\qNVQKFyM.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\qNVQKFyM.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\Files\WenzCord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WenzCord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4420
- - C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C0qcI19jWQMJ.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2136
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:936
    - - C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BisCLxqFkcxa.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
- C:\Users\Admin\AppData\Local\Temp\Files\ataturk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ataturk.exe"
  2⤵
  - Executes dropped EXE
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WenzCord.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\BisCLxqFkcxa.bat

Filesize
209B

MD5
7ba481eb065eda44bbcb7256c13f9d22

SHA1
d791a758ed9ade9b17e333cfdb186eaad4311f88

SHA256
2522f182c0a9a6b427e6bba4623d3719a3f0e802eedbb6e780dc930e318d7d92

SHA512
4425c02ae84c4fd9c70797209db3ab1d573e7b56c5528a8f78553bec9ba9b44d168b7865fedef53ae1b8fe9aec7b3d60046ff87901eff9e9519aec3419bba99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0qcI19jWQMJ.bat

Filesize
209B

MD5
bdb31702ae96252917720e7423eded2c

SHA1
c88037465421ea8df33ec7d926efb1b686421f2e

SHA256
b79faff08aec1717950a7d724dd67c784c9cbb388c4f72a5675e9abbbf9c45ff

SHA512
fa86fd9657752d132b2997b3c555e5ef92c254472c756be4f6401836fb875b7c91fdec7e7745f3b93c0318e157182e39041a0bd96bf5b12188ef5868776e0e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WenzCord.exe

Filesize
3.1MB

MD5
f21aa436096afece0b8c39c36bf4a9ab

SHA1
976b74c6a4e59e59a812c06032aae71a0516236a

SHA256
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

SHA512
44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ataturk.exe

Filesize
56KB

MD5
a7b36da8acc804d5dd40f9500277fea9

SHA1
5c80776335618c4ad99d1796f72ebeb53a12a40b

SHA256
b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672

SHA512
ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\qNVQKFyM.exe

Filesize
3.8MB

MD5
e3a6a985899b7b14de0e539045fa8856

SHA1
1fdfc2ea75c2f52526dfa96834ec2f383d0c02f8

SHA256
30ab8dea3f9af09e931fe9c72cc52c5a1a69ab6de752f20d13e465c7a4bda6d4

SHA512
7e5f43999a1c4e46134446a259604fe9ea8d3c5688751baa83c33fa3d104e8ef2a35e2ac3c437d6ab98bf8f74696508ab643ac6030ba63c9aec7c219441ce451

Download Submit
memory/2948-56-0x0000000000BB0000-0x0000000000BC4000-memory.dmp

Filesize
80KB

Download
memory/3140-5-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3140-4-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/3140-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/3140-3-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3140-2-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/3140-1-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/4120-44-0x0000000000770000-0x0000000000A9A000-memory.dmp

Filesize
3.2MB

Download
memory/4280-18-0x0000000001170000-0x0000000001492000-memory.dmp

Filesize
3.1MB

Download
memory/4280-24-0x0000000005C10000-0x0000000005CA2000-memory.dmp

Filesize
584KB

Download
memory/4280-26-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

Filesize
40KB

Download
memory/4280-27-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/4280-28-0x00000000073E0000-0x00000000079F8000-memory.dmp

Filesize
6.1MB

Download
memory/4280-29-0x0000000006690000-0x00000000066E0000-memory.dmp

Filesize
320KB

Download
memory/4280-30-0x0000000006EB0000-0x0000000006F62000-memory.dmp

Filesize
712KB

Download
memory/4280-31-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/4280-32-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/4280-25-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/4280-23-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/4280-21-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/4280-22-0x0000000006810000-0x0000000006DB6000-memory.dmp

Filesize
5.6MB

Download
memory/4280-20-0x0000000005F40000-0x0000000006264000-memory.dmp

Filesize
3.1MB

Download
memory/4280-17-0x0000000001170000-0x0000000001492000-memory.dmp

Filesize
3.1MB

Download
memory/4280-19-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/4788-66-0x000000001BF30000-0x000000001BFE2000-memory.dmp

Filesize
712KB

Download
memory/4788-65-0x000000001BE20000-0x000000001BE70000-memory.dmp

Filesize
320KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads