quasar | 76914f3b3fe9bd7f1b26246c82b84d20154d31708a3c79b0119c001d54003642

Analysis

max time kernel
3s
max time network
7s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-01-2025 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RichExecutor.exe
Size

3.2MB
MD5

3e259987fd830f752a6ca1b303eaab66
SHA1

c49cb58d9c40654fd6bc1e334edc413796242fb3
SHA256

76914f3b3fe9bd7f1b26246c82b84d20154d31708a3c79b0119c001d54003642
SHA512

589d35702cfa51afb53539b44d4e2aed4aa3f6a66f533af63fd2f5b141ecbba0c75512fd7c09555aa42a05d453c8315ee29c47b18246953293c7789d18fc7794
SSDEEP

49152:DvqlL26AaNeWgPhlmVqvMQ7XSK1r6kBxfMoGdSPTHHB72eh2NT:DvSL26AaNeWgPhlmVqkQ7XSK16fC

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.212:4782

Mutex

5c88d3df-67a5-43bd-aea9-9582dd701a3d

Attributes

encryption_key
261C8D2C07C00AB3DF0B1ABF37A28F8A97554D73
install_name
RIchExecutor.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3912-1-0x0000000000F50000-0x0000000001282000-memory.dmp	family_quasar
behavioral1/files/0x001d00000002ab53-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
5020	RIchExecutor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4032	schtasks.exe
4048	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	RichExecutor.exe
Token: SeDebugPrivilege	5020	RIchExecutor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5020	RIchExecutor.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5020	RIchExecutor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 4032	3912	RichExecutor.exe	77
PID 3912 wrote to memory of 4032	3912	RichExecutor.exe	77
PID 3912 wrote to memory of 5020	3912	RichExecutor.exe	79
PID 3912 wrote to memory of 5020	3912	RichExecutor.exe	79
PID 5020 wrote to memory of 4048	5020	RIchExecutor.exe	80
PID 5020 wrote to memory of 4048	5020	RIchExecutor.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RichExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\RichExecutor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RIchExecutor.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4032
- C:\Users\Admin\AppData\Roaming\SubDir\RIchExecutor.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\RIchExecutor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\RIchExecutor.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RIchExecutor.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\RIchExecutor.exe

Filesize
3.2MB

MD5
3e259987fd830f752a6ca1b303eaab66

SHA1
c49cb58d9c40654fd6bc1e334edc413796242fb3

SHA256
76914f3b3fe9bd7f1b26246c82b84d20154d31708a3c79b0119c001d54003642

SHA512
589d35702cfa51afb53539b44d4e2aed4aa3f6a66f533af63fd2f5b141ecbba0c75512fd7c09555aa42a05d453c8315ee29c47b18246953293c7789d18fc7794

Download Submit
memory/3912-0-0x00007FF8E89D3000-0x00007FF8E89D5000-memory.dmp

Filesize
8KB

Download
memory/3912-1-0x0000000000F50000-0x0000000001282000-memory.dmp

Filesize
3.2MB

Download
memory/3912-2-0x00007FF8E89D0000-0x00007FF8E9492000-memory.dmp

Filesize
10.8MB

Download
memory/3912-10-0x00007FF8E89D0000-0x00007FF8E9492000-memory.dmp

Filesize
10.8MB

Download
memory/5020-9-0x00007FF8E89D0000-0x00007FF8E9492000-memory.dmp

Filesize
10.8MB

Download
memory/5020-11-0x00007FF8E89D0000-0x00007FF8E9492000-memory.dmp

Filesize
10.8MB

Download
memory/5020-12-0x00000000029A0000-0x00000000029F0000-memory.dmp

Filesize
320KB

Download
memory/5020-13-0x000000001BFD0000-0x000000001C082000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads