quasar | 629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

43ba56942448efaf6200c561be3aa4cd
SHA1

26a8f505a3e1aee989c56b35cef729fc77b1c028
SHA256

629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024
SHA512

59e0b28de0ca1d67a3654e84235222ab64f5a9f4818db32c5ee51e2270a2a9c954f64d4714a8040ada194c04a36d8ba6fa8d55296e297160cdc1e9f3fe976dfe
SSDEEP

49152:6vsG42pda6D+/PjlLOlg6yQipV9fBtIBxwMoGdaYTHHB72eh2NT:6v342pda6D+/PjlLOlZyQipVLtg

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.178.56:4782

tcp://5.tcp.eu.ngrok.io:13134:7771

Mutex

0552115c-2459-453f-980d-c60aebb9957e

Attributes

encryption_key
1DEED326568BA39A5A6D6473414A146E2A7F5724
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1832-1-0x00000000011C0000-0x00000000014E4000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016ace-5.dat	family_quasar
behavioral1/memory/2308-7-0x00000000011E0000-0x0000000001504000-memory.dmp	family_quasar

Executes dropped EXE 5 IoCs

pid	Process
2308	Client.exe
2684	Client.exe
1808	Client.exe
1104	Client.exe
2456	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2968	PING.EXE
2080	PING.EXE
916	PING.EXE
2288	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2968	PING.EXE
2080	PING.EXE
916	PING.EXE
2288	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	Client-built.exe
Token: SeDebugPrivilege	2308	Client.exe
Token: SeDebugPrivilege	2684	Client.exe
Token: SeDebugPrivilege	1808	Client.exe
Token: SeDebugPrivilege	1104	Client.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2308	Client.exe
2684	Client.exe
1808	Client.exe
1104	Client.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2308	Client.exe
2684	Client.exe
1808	Client.exe
1104	Client.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2308	Client.exe
2684	Client.exe
1808	Client.exe
1104	Client.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2308	1832	Client-built.exe	30
PID 1832 wrote to memory of 2308	1832	Client-built.exe	30
PID 1832 wrote to memory of 2308	1832	Client-built.exe	30
PID 2308 wrote to memory of 3056	2308	Client.exe	32
PID 2308 wrote to memory of 3056	2308	Client.exe	32
PID 2308 wrote to memory of 3056	2308	Client.exe	32
PID 3056 wrote to memory of 2844	3056	cmd.exe	34
PID 3056 wrote to memory of 2844	3056	cmd.exe	34
PID 3056 wrote to memory of 2844	3056	cmd.exe	34
PID 3056 wrote to memory of 2968	3056	cmd.exe	35
PID 3056 wrote to memory of 2968	3056	cmd.exe	35
PID 3056 wrote to memory of 2968	3056	cmd.exe	35
PID 3056 wrote to memory of 2684	3056	cmd.exe	36
PID 3056 wrote to memory of 2684	3056	cmd.exe	36
PID 3056 wrote to memory of 2684	3056	cmd.exe	36
PID 2684 wrote to memory of 2312	2684	Client.exe	37
PID 2684 wrote to memory of 2312	2684	Client.exe	37
PID 2684 wrote to memory of 2312	2684	Client.exe	37
PID 2312 wrote to memory of 796	2312	cmd.exe	39
PID 2312 wrote to memory of 796	2312	cmd.exe	39
PID 2312 wrote to memory of 796	2312	cmd.exe	39
PID 2312 wrote to memory of 2080	2312	cmd.exe	40
PID 2312 wrote to memory of 2080	2312	cmd.exe	40
PID 2312 wrote to memory of 2080	2312	cmd.exe	40
PID 2312 wrote to memory of 1808	2312	cmd.exe	41
PID 2312 wrote to memory of 1808	2312	cmd.exe	41
PID 2312 wrote to memory of 1808	2312	cmd.exe	41
PID 1808 wrote to memory of 2224	1808	Client.exe	42
PID 1808 wrote to memory of 2224	1808	Client.exe	42
PID 1808 wrote to memory of 2224	1808	Client.exe	42
PID 2224 wrote to memory of 1476	2224	cmd.exe	44
PID 2224 wrote to memory of 1476	2224	cmd.exe	44
PID 2224 wrote to memory of 1476	2224	cmd.exe	44
PID 2224 wrote to memory of 916	2224	cmd.exe	45
PID 2224 wrote to memory of 916	2224	cmd.exe	45
PID 2224 wrote to memory of 916	2224	cmd.exe	45
PID 2224 wrote to memory of 1104	2224	cmd.exe	46
PID 2224 wrote to memory of 1104	2224	cmd.exe	46
PID 2224 wrote to memory of 1104	2224	cmd.exe	46
PID 1104 wrote to memory of 1324	1104	Client.exe	47
PID 1104 wrote to memory of 1324	1104	Client.exe	47
PID 1104 wrote to memory of 1324	1104	Client.exe	47
PID 1324 wrote to memory of 1248	1324	cmd.exe	49
PID 1324 wrote to memory of 1248	1324	cmd.exe	49
PID 1324 wrote to memory of 1248	1324	cmd.exe	49
PID 1324 wrote to memory of 2288	1324	cmd.exe	50
PID 1324 wrote to memory of 2288	1324	cmd.exe	50
PID 1324 wrote to memory of 2288	1324	cmd.exe	50
PID 1324 wrote to memory of 2456	1324	cmd.exe	51
PID 1324 wrote to memory of 2456	1324	cmd.exe	51
PID 1324 wrote to memory of 2456	1324	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1JfAFoNXhYVL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2844
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2968
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2T2h2BaFbO22.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:796
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAM7tvqkIFxz.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\elUcGAQ0oDTF.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1JfAFoNXhYVL.bat

Filesize
207B

MD5
39c122426968a07f982d5c3581ff3051

SHA1
4d5d98b6e6943be81181b73b181b635559098b83

SHA256
c38171d10cc7bfec02aca901fa11b2af6ccd683c63a74618b4eef8e6e28fe4d1

SHA512
ec47580a0c1d11033ec7e913d2f5d174c05748e6265fb254e9a536494d21b0be625286c492302e8919f1b46ab54e701b91072a2455643f1b4e30db1a54a5c76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2T2h2BaFbO22.bat

Filesize
207B

MD5
25907627e6f9f9340799f306a53669b2

SHA1
aea9853946db65f7c9499c9a70abc32aefa09c91

SHA256
d8dca3f840e8ebb21e3ef737040f7d9c8325bfe00c71649657100638db539472

SHA512
cc84edf7745fea69bd3ffd8afcd19305c30e155b99dadcdf69662335ab6b37b2eb936729f995b2ee80d333c89df8f1c7c0301e9b89db91de0861d3419ed452bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAM7tvqkIFxz.bat

Filesize
207B

MD5
a4d5fe077c5370fdd64e777abcd9b610

SHA1
a685af5ddd9e5ef07ff469f4d99b5ddcb24dc658

SHA256
7252a8986ba60541ca1306d340be8c367386ce2727bceca43154bf23e2d80a56

SHA512
864b9f6048bb8f7feed86fe8e88bf6635353f8a7e8577e957846bd817a2f35e1c9040f8120da7d9cb1f06e82e3683997262834a750a2d9472b27d5500d3e13cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\elUcGAQ0oDTF.bat

Filesize
207B

MD5
0af3766042c5b98b47f5f750aa13d83f

SHA1
3bdc42e3a4785d91424436f466e8f5e52f0bfa08

SHA256
56ba32549fa668dc4d51f0b1fecb8323892de03d32dce0f9c6ac6efa13128f25

SHA512
0fd07883c669fbbd7de22a902f8968429b956775e533ffcbaf4c68906d763c8aa27bae15145224fb30b409384a9b67307f15d9f7d4c8593ff7c74f6e8b37f270

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
43ba56942448efaf6200c561be3aa4cd

SHA1
26a8f505a3e1aee989c56b35cef729fc77b1c028

SHA256
629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024

SHA512
59e0b28de0ca1d67a3654e84235222ab64f5a9f4818db32c5ee51e2270a2a9c954f64d4714a8040ada194c04a36d8ba6fa8d55296e297160cdc1e9f3fe976dfe

Download Submit
memory/1832-10-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/1832-2-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-1-0x00000000011C0000-0x00000000014E4000-memory.dmp

Filesize
3.1MB

Download
memory/2308-9-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-8-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-11-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-7-0x00000000011E0000-0x0000000001504000-memory.dmp

Filesize
3.1MB

Download
memory/2308-21-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

Filesize
9.9MB

Download