quasar | 629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

43ba56942448efaf6200c561be3aa4cd
SHA1

26a8f505a3e1aee989c56b35cef729fc77b1c028
SHA256

629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024
SHA512

59e0b28de0ca1d67a3654e84235222ab64f5a9f4818db32c5ee51e2270a2a9c954f64d4714a8040ada194c04a36d8ba6fa8d55296e297160cdc1e9f3fe976dfe
SSDEEP

49152:6vsG42pda6D+/PjlLOlg6yQipV9fBtIBxwMoGdaYTHHB72eh2NT:6v342pda6D+/PjlLOlZyQipVLtg

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.178.56:4782

tcp://5.tcp.eu.ngrok.io:13134:7771

Mutex

0552115c-2459-453f-980d-c60aebb9957e

Attributes

encryption_key
1DEED326568BA39A5A6D6473414A146E2A7F5724
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2368-1-0x0000000000FB0000-0x00000000012D4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023ca8-5.dat	family_quasar

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 5 IoCs

pid	Process
1412	Client.exe
4572	Client.exe
1692	Client.exe
1396	Client.exe
3624	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3520	PING.EXE
4404	PING.EXE
2676	PING.EXE
5092	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2676	PING.EXE
5092	PING.EXE
3520	PING.EXE
4404	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	Client-built.exe
Token: SeDebugPrivilege	1412	Client.exe
Token: SeDebugPrivilege	4572	Client.exe
Token: SeDebugPrivilege	1692	Client.exe
Token: SeDebugPrivilege	1396	Client.exe
Token: SeDebugPrivilege	3624	Client.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1412	Client.exe
4572	Client.exe
1692	Client.exe
1396	Client.exe
3624	Client.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1412	Client.exe
4572	Client.exe
1692	Client.exe
1396	Client.exe
3624	Client.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1412	Client.exe
4572	Client.exe
1692	Client.exe
1396	Client.exe
3624	Client.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1412	2368	Client-built.exe	82
PID 2368 wrote to memory of 1412	2368	Client-built.exe	82
PID 1412 wrote to memory of 3804	1412	Client.exe	90
PID 1412 wrote to memory of 3804	1412	Client.exe	90
PID 3804 wrote to memory of 1752	3804	cmd.exe	92
PID 3804 wrote to memory of 1752	3804	cmd.exe	92
PID 3804 wrote to memory of 2676	3804	cmd.exe	93
PID 3804 wrote to memory of 2676	3804	cmd.exe	93
PID 3804 wrote to memory of 4572	3804	cmd.exe	96
PID 3804 wrote to memory of 4572	3804	cmd.exe	96
PID 4572 wrote to memory of 4072	4572	Client.exe	97
PID 4572 wrote to memory of 4072	4572	Client.exe	97
PID 4072 wrote to memory of 924	4072	cmd.exe	99
PID 4072 wrote to memory of 924	4072	cmd.exe	99
PID 4072 wrote to memory of 5092	4072	cmd.exe	100
PID 4072 wrote to memory of 5092	4072	cmd.exe	100
PID 4072 wrote to memory of 1692	4072	cmd.exe	101
PID 4072 wrote to memory of 1692	4072	cmd.exe	101
PID 1692 wrote to memory of 3960	1692	Client.exe	102
PID 1692 wrote to memory of 3960	1692	Client.exe	102
PID 3960 wrote to memory of 1184	3960	cmd.exe	104
PID 3960 wrote to memory of 1184	3960	cmd.exe	104
PID 3960 wrote to memory of 3520	3960	cmd.exe	105
PID 3960 wrote to memory of 3520	3960	cmd.exe	105
PID 3960 wrote to memory of 1396	3960	cmd.exe	106
PID 3960 wrote to memory of 1396	3960	cmd.exe	106
PID 1396 wrote to memory of 2368	1396	Client.exe	107
PID 1396 wrote to memory of 2368	1396	Client.exe	107
PID 2368 wrote to memory of 2880	2368	cmd.exe	109
PID 2368 wrote to memory of 2880	2368	cmd.exe	109
PID 2368 wrote to memory of 4404	2368	cmd.exe	110
PID 2368 wrote to memory of 4404	2368	cmd.exe	110
PID 2368 wrote to memory of 3624	2368	cmd.exe	111
PID 2368 wrote to memory of 3624	2368	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymPshuA1eVhl.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1752
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2676
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yzyKVAiS4BTB.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:924
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5092
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dz1IbFuyQmkY.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tDvzWZSxbdh3.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dz1IbFuyQmkY.bat

Filesize
207B

MD5
cd35eb93d698020f95fd50555a9e515e

SHA1
a49994f2cdc8924c59e2ebad3ca5972c6878375e

SHA256
f482f6877497bde7ec0c2c68ab6e4040bd6393111cc1fea32449d34a3e56f767

SHA512
a7ca1756ffb84e6f1729bca877c8171dc4d51ad5f45ffbeb61814e13f03f6feb8897c190fdf59cd4da826ca94a1f86c5ef724c7e2d16c077d62daa327d6dc9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDvzWZSxbdh3.bat

Filesize
207B

MD5
a35cd0f8c846885fcf95770b9ab72179

SHA1
be9f9255b7e037d606bef651dd271f6e66fdf801

SHA256
d56452bf0ba0f59cd0f5ff2f58283f5b4336f368ace2bcbfd6c0d1affa730a2c

SHA512
87307aae6527fe443ad66b084de24c5ab9c99f015b04e0d3e8b35333993b8ebea6847a0d28757717229cbf3c68b33b0371eaf846f36f31f73bb5c603f50c8235

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymPshuA1eVhl.bat

Filesize
207B

MD5
3d0f9a69ee3f4f8e4a544041083e892b

SHA1
4963178fc23c01ca66227c859fab802caec34411

SHA256
825ef19dbba9846546839a54f0570667e1a34025b5fd9c463a8595a278f05a82

SHA512
b56cade361a446e7eaf986b10a88464b373a139f5d34e98b14848cdfac44875e69f0f802a2a7f27a333503f9f22fb1b1005cc17c772cd0173c17fd8a656e22db

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzyKVAiS4BTB.bat

Filesize
207B

MD5
e27f593f1f91a1b2a2929bfc8706fd63

SHA1
ff8f0b7e3acb2fbc518e401732f6a04029410095

SHA256
135bc80a02eed3daafecb746df8d40e35fb721c2ca722088c9a01275fd7268f3

SHA512
19a4ee6115e5910f836cd9ff00b03ce46c43d580274b1847ff2eb4308afacd5449bfbe49ea7df65ae7a48fb78a81939bbf97aaec0d5b740e62be0fb23e8c7e0e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
43ba56942448efaf6200c561be3aa4cd

SHA1
26a8f505a3e1aee989c56b35cef729fc77b1c028

SHA256
629d5525bebd5ed6d37a8c75e3c326647f9f8d5420e5b0a43dfade7563cc4024

SHA512
59e0b28de0ca1d67a3654e84235222ab64f5a9f4818db32c5ee51e2270a2a9c954f64d4714a8040ada194c04a36d8ba6fa8d55296e297160cdc1e9f3fe976dfe

Download Submit
memory/1412-9-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/1412-11-0x000000001C920000-0x000000001C970000-memory.dmp

Filesize
320KB

Download
memory/1412-12-0x000000001CA30000-0x000000001CAE2000-memory.dmp

Filesize
712KB

Download
memory/1412-13-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/1412-19-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/1412-10-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2368-8-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2368-0-0x00007FFD352C3000-0x00007FFD352C5000-memory.dmp

Filesize
8KB

Download
memory/2368-2-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2368-1-0x0000000000FB0000-0x00000000012D4000-memory.dmp

Filesize
3.1MB

Download