quasar | 2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88

Analysis

max time kernel
129s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe
Size

10.7MB
MD5

436052b37a3752148c885667e34dd9c3
SHA1

59dbc9e97fb1c74ae666bc87e9ab2f453f780006
SHA256

2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88
SHA512

c6ef01300bb1350d64e5a4d5f48a1c013f8638ac9240820d2d27e951b0ca4b105ff2ee66a07bb3954178c7df8435dbfb561b7a7112f8f3ec79e63cedb7f4d784
SSDEEP

196608:QPW6IG7f1KCArQWGRhoDyp7t1OCf80nXIQPfMEftec7HsrEha1:w37d6T+97t1OCf80XIxQec7O

Score

10^/10

quasar svchost 2 svchost 3 discovery pyinstaller spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost 3

41.216.183.179:3742

Mutex

11b8b70b-ab15-4aab-8132-3e7b18b2b48b

Attributes

encryption_key
0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7
install_name
startui.exe
log_directory
Logs
reconnect_delay
3000
startup_key
startui
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost 2

41.216.183.179:3742

Mutex

d018acac-011d-4ca3-b0c3-4fdd7ec2d6d1

Attributes

encryption_key
0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7
install_name
Host Process for Windows Tasks.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Host Process for Windows Tasks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b88-12.dat	family_quasar
behavioral2/files/0x000a000000023b89-22.dat	family_quasar
behavioral2/memory/5104-50-0x0000000000810000-0x0000000000B34000-memory.dmp	family_quasar
behavioral2/memory/1828-31-0x0000000000BF0000-0x0000000000F14000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe

Executes dropped EXE 6 IoCs

pid	Process
836	WormGPT.exe
1828	comsurrogate.exe
5104	svc.exe
3288	startui.exe
4452	WormGPT.exe
3220	Host Process for Windows Tasks.exe

Loads dropped DLL 7 IoCs

pid	Process
4452	WormGPT.exe
4452	WormGPT.exe
4452	WormGPT.exe
4452	WormGPT.exe
4452	WormGPT.exe
4452	WormGPT.exe
4452	WormGPT.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Host Process for Windows Tasks.exe
File created	C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe	comsurrogate.exe
File opened for modification	C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe	comsurrogate.exe
File opened for modification	C:\Windows\system32\SubDir	comsurrogate.exe
File opened for modification	C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe	Host Process for Windows Tasks.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SubDir\startui.exe	svc.exe
File opened for modification	C:\Program Files\SubDir	svc.exe
File opened for modification	C:\Program Files\SubDir\startui.exe	startui.exe
File opened for modification	C:\Program Files\SubDir	startui.exe
File created	C:\Program Files\SubDir\startui.exe	svc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000d000000023b33-6.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
780	schtasks.exe
3424	schtasks.exe
3404	schtasks.exe
4724	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	comsurrogate.exe
Token: SeDebugPrivilege	5104	svc.exe
Token: SeDebugPrivilege	3288	startui.exe
Token: SeDebugPrivilege	3220	Host Process for Windows Tasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3288	startui.exe
3220	Host Process for Windows Tasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 836	220	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe	84
PID 220 wrote to memory of 836	220	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe	84
PID 220 wrote to memory of 1828	220	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe	86
PID 220 wrote to memory of 1828	220	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe	86
PID 220 wrote to memory of 5104	220	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe	87
PID 220 wrote to memory of 5104	220	2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe	87
PID 5104 wrote to memory of 780	5104	svc.exe	88
PID 5104 wrote to memory of 780	5104	svc.exe	88
PID 5104 wrote to memory of 3288	5104	svc.exe	90
PID 5104 wrote to memory of 3288	5104	svc.exe	90
PID 1828 wrote to memory of 3424	1828	comsurrogate.exe	91
PID 1828 wrote to memory of 3424	1828	comsurrogate.exe	91
PID 836 wrote to memory of 4452	836	WormGPT.exe	93
PID 836 wrote to memory of 4452	836	WormGPT.exe	93
PID 1828 wrote to memory of 3220	1828	comsurrogate.exe	94
PID 1828 wrote to memory of 3220	1828	comsurrogate.exe	94
PID 4452 wrote to memory of 2148	4452	WormGPT.exe	95
PID 4452 wrote to memory of 2148	4452	WormGPT.exe	95
PID 3220 wrote to memory of 3404	3220	Host Process for Windows Tasks.exe	96
PID 3220 wrote to memory of 3404	3220	Host Process for Windows Tasks.exe	96
PID 3288 wrote to memory of 4724	3288	startui.exe	98
PID 3288 wrote to memory of 4724	3288	startui.exe	98
PID 4452 wrote to memory of 5092	4452	WormGPT.exe	100
PID 4452 wrote to memory of 5092	4452	WormGPT.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe
"C:\Users\Admin\AppData\Local\Temp\2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\WormGPT.exe
  "C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\WormGPT.exe
    "C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c
      4⤵
      PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:5092
- C:\Users\Admin\AppData\Local\Temp\comsurrogate.exe
  "C:\Users\Admin\AppData\Local\Temp\comsurrogate.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3424
- - C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe
    "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3404
- C:\Users\Admin\AppData\Local\Temp\svc.exe
  "C:\Users\Admin\AppData\Local\Temp\svc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "startui" /sc ONLOGON /tr "C:\Program Files\SubDir\startui.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:780
- - C:\Program Files\SubDir\startui.exe
    "C:\Program Files\SubDir\startui.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "startui" /sc ONLOGON /tr "C:\Program Files\SubDir\startui.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WormGPT.exe

Filesize
8.6MB

MD5
1c2128b3ad0a5dc32f938362e16f6b07

SHA1
eecb906f664ff6a5fc4cded35c274cbcc342fec8

SHA256
2b093e0b16481ff4d090e4502c6ef4d547fb7003a6a07e43fc042a1550f9bb9c

SHA512
21758831af1d641c1f1aad7fb148b16c87ebf00ae5574a3f66542620931088c6ebedc61a92ccb2ffe2f1643792989541eae9180a0bdd672202df7ac455f4350e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\_tkinter.pyd

Filesize
63KB

MD5
470364d8abdc5c22828df8e22c095ed2

SHA1
4c707b1061012deb8ce4ab38772a21d3195624c2

SHA256
4262cabac7e97220d0e4bd72deb337ffd9df429860ab298b3e2d5c9223874705

SHA512
70eb15796ead54cdadf696ea6581ff2f979057c3be8c95c12ab89be51c02b2aba591f9ee9671e8c4f376c973b154d0f2e0614498c5835397411c876346429cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\base_library.zip

Filesize
1.0MB

MD5
d83e1395c18c93d96645462bb79e86ae

SHA1
7dd7988f499390ce0508e51219f70c8db426c989

SHA256
5a4fa8a060ee1eea1b7e6ea27bba2f4913469c83db0f31ceaec2c17b9a01340d

SHA512
8e011b62c15e207d694182b4e7d5997f60fff0dfb5e7aab7ade93dcd2e8a5493606b1bc03997743e22fc13b5a1a0b44c1b72ca90e63e926f8657755874881ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\tcl86t.dll

Filesize
1.8MB

MD5
75909678c6a79ca2ca780a1ceb00232e

SHA1
39ddbeb1c288335abe910a5011d7034345425f7d

SHA256
fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860

SHA512
91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8362\tk86t.dll

Filesize
1.5MB

MD5
4b6270a72579b38c1cc83f240fb08360

SHA1
1a161a014f57fe8aa2fadaab7bc4f9faaac368de

SHA256
cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08

SHA512
0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\comsurrogate.exe

Filesize
3.1MB

MD5
026407873fa1c229033246e574724e02

SHA1
888c874808635b0b03456da413b1941c61c33686

SHA256
4531e23ad4f6443dd3e0807007afd811ea1fc6a2a35f423e9ac98bcfc21be996

SHA512
660db81f331c9ff47440d41d2e5062d92ad1fe2b7cc5559ba120c4908b5cd9a253c4fb1da323a1f0f1e7a5ce50d04e9020aec286e3eb399cb3ebdf1b765acc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svc.exe

Filesize
3.1MB

MD5
7776335b8b0d230370ca39602c484a69

SHA1
7705fb56ea438e609a6094bef10bdb2392f55719

SHA256
b6bb8a533c77034b0d4eab34ffa434b1a999cac5f59983680d222f04e437729d

SHA512
0e290749b442e317fe90591a43549a003d7f95c086d220b04eae018209a9785a1754b834d529a5839b15d2aa783edd17e52f4ab2b331e3a14c47d84ebf24899d

Download Submit
memory/1828-31-0x0000000000BF0000-0x0000000000F14000-memory.dmp

Filesize
3.1MB

Download
memory/1828-999-0x00007FFCFB890000-0x00007FFCFC351000-memory.dmp

Filesize
10.8MB

Download
memory/1828-30-0x00007FFCFB893000-0x00007FFCFB895000-memory.dmp

Filesize
8KB

Download
memory/1828-172-0x00007FFCFB890000-0x00007FFCFC351000-memory.dmp

Filesize
10.8MB

Download
memory/3288-1011-0x000000001B320000-0x000000001B370000-memory.dmp

Filesize
320KB

Download
memory/3288-1012-0x000000001BC50000-0x000000001BD02000-memory.dmp

Filesize
712KB

Download
memory/5104-50-0x0000000000810000-0x0000000000B34000-memory.dmp

Filesize
3.1MB

Download
memory/5104-56-0x00007FFCFB890000-0x00007FFCFC351000-memory.dmp

Filesize
10.8MB

Download
memory/5104-739-0x00007FFCFB890000-0x00007FFCFC351000-memory.dmp

Filesize
10.8MB

Download
memory/5104-227-0x00007FFCFB890000-0x00007FFCFC351000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads