quasar | 2c7b25bd3f50be5f2beaf71b10d012b06bfd91275eda5f3fe4f81c59754b90f3

Analysis

max time kernel
65s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrudaTweak.zip
Size

10.6MB
MD5

1f85b246762c45185e66c10700855f6a
SHA1

6a05572e7d23ad241b933e615b3f180402b6e4e0
SHA256

2c7b25bd3f50be5f2beaf71b10d012b06bfd91275eda5f3fe4f81c59754b90f3
SHA512

f9efae2f1f4964ff533fddebdaf9edc3068e26d68d378f29ecd09cc7d041841ff8f390834067a69c7c0c4c004ffac6abc45191f1353cea7ec5e91b57156dee49
SSDEEP

196608:7AaahvSji7LYOSIlr3vTPzz3Uh33HUxxqM3PBOfo6cakJrdfLjPQbUINfkotWe+:7X0SjkL/lT7jUhUxMM3PB5JrVAbVyotM

Score

10^/10

quasar prudabackend spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001a0000000234b3-71.dat	family_quasar
behavioral2/memory/4872-72-0x00000000008F0000-0x0000000000C14000-memory.dmp	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
47	3152	!PrudaTweak.exe

Executes dropped EXE 4 IoCs

pid	Process
3152	!PrudaTweak.exe
3644	crashpad_handler.exe
4872	Spotify.exe
8	update.exe

Loads dropped DLL 5 IoCs

pid	Process
3152	!PrudaTweak.exe
3152	!PrudaTweak.exe
3152	!PrudaTweak.exe
3152	!PrudaTweak.exe
3152	!PrudaTweak.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\update.exe	Spotify.exe
File opened for modification	C:\Windows\system32\update.exe	Spotify.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1832	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1364	schtasks.exe
3280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2644	7zFM.exe
2644	7zFM.exe
3152	!PrudaTweak.exe
3152	!PrudaTweak.exe
3152	!PrudaTweak.exe
3152	!PrudaTweak.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2644	7zFM.exe
Token: 35	2644	7zFM.exe
Token: SeSecurityPrivilege	2644	7zFM.exe
Token: SeSecurityPrivilege	2644	7zFM.exe
Token: SeDebugPrivilege	3152	!PrudaTweak.exe
Token: SeDebugPrivilege	4872	Spotify.exe
Token: SeDebugPrivilege	8	update.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2644	7zFM.exe
2644	7zFM.exe
2644	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
8	update.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1832	2644	7zFM.exe	100
PID 2644 wrote to memory of 1832	2644	7zFM.exe	100
PID 3152 wrote to memory of 3644	3152	!PrudaTweak.exe	108
PID 3152 wrote to memory of 3644	3152	!PrudaTweak.exe	108
PID 3152 wrote to memory of 4872	3152	!PrudaTweak.exe	111
PID 3152 wrote to memory of 4872	3152	!PrudaTweak.exe	111
PID 4872 wrote to memory of 1364	4872	Spotify.exe	112
PID 4872 wrote to memory of 1364	4872	Spotify.exe	112
PID 4872 wrote to memory of 8	4872	Spotify.exe	114
PID 4872 wrote to memory of 8	4872	Spotify.exe	114
PID 8 wrote to memory of 3280	8	update.exe	115
PID 8 wrote to memory of 3280	8	update.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PrudaTweak.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO45AE4C08\ReadMe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2228

C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe
"C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe
  C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\Desktop\PrudaTweak\cache --metrics-dir=C:\Users\Admin\Desktop\PrudaTweak\cache --url=https://sentry.pruda.de:443/api/2/minidump/?sentry_client=sentry.native/0.7.16&sentry_key=ae11f7dd565c2b26983cff3e1a33de87 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\be76ca99-f8ea-4499-4cac-2565f498904b.run\__sentry-event --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\be76ca99-f8ea-4499-4cac-2565f498904b.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\be76ca99-f8ea-4499-4cac-2565f498904b.run\__sentry-breadcrumb2 --initial-client-data=0x5bc,0x5c0,0x5c4,0x594,0x5c8,0x7fffb7f93b70,0x7fffb7f93b88,0x7fffb7f93ba0
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Users\Admin\AppData\Local\Temp\Spotify.exe
  "C:\Users\Admin\AppData\Local\Temp\Spotify.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1364
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO45AE4C08\ReadMe.txt

Filesize
54B

MD5
499de9d9188c430a05577a37ca55eb25

SHA1
38e94adbe669972e47ce5c8f9f7c1856b736325e

SHA256
4097e09dc2992caddd40ed08a80f6bd96ee15c9077cc1f81e82062b755341df0

SHA512
8926b484501ce4dd77d89960535e2bd1520f319a655efaecd565f18baedc4d80aa7f53c3b0429b4afcc540d713a6d2f317accfebab6be7d23a37d05aa0fcd6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spotify.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe

Filesize
135KB

MD5
b919c1037e70d3db56f5a5ddb67d9e86

SHA1
e96772ca1fe8e044c3a03b46a9535c67c063bec0

SHA256
86c4260b065071bb0e89c3b6ea67a1065a63dd23cf03ad4e27cdcbeaf9748398

SHA512
502a5252a1ae87f93e272689da3fd206538ffde5e01aa281b3ee3905c273af79cfe9aa3759e675197f7ff6c166f898307789263429cdf34b7402b07a99511b04

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\Sentry.dll

Filesize
547KB

MD5
f634f84cf9f0244b3c62b04b21c69bbf

SHA1
e0a09946aad5cf6d402b617fc1679b139ddcb79f

SHA256
1e28984f8e08bcf2c902b9621a3b9646c695f12cd5b059b820bdbd735f706651

SHA512
50a15ef80f5ec00169a214cc8b26c8a5a81209760c48a6108d16b0ccc2a63fa8f0a22f3d8db235a74abfc4db65fc3e4a4eb8b46e06342c183c2c1f5b52b42fb3

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.deps.json

Filesize
2KB

MD5
81dba0ada628b279fdd419ae8b6cdb51

SHA1
856a511842dca4955c6b99f2154ac71c1d3053cb

SHA256
38c88f3aec2b0cbc7136020ec13eba93225e96cdca13d2f6941398900a905178

SHA512
2545810e4d8f96ee3e54608a7ffc0e3fa33f8bbdfd7ca781d63fad287a965ec6765bbb61cac25d6c9ee8f8e8670b5736b4b9671d0aed677f21615186a59ac87f

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.dll

Filesize
122KB

MD5
d627b87086ff7a189d3205fbaef59c80

SHA1
a94c3453eff80799eb767ea5ad5d0e31b85eff45

SHA256
d8bc06fc6b88711b58b4d4a1203f0111744c44b7929f00aee79b405b05a77a17

SHA512
ef4bfb39a2a6a586b9c0f812d9625fe7c10e3f1a962e235009010437bf20928993cbb2c89892e57156ecce3083fc791631d773602420e51a21e6be3f8c452c85

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.runtimeconfig.json

Filesize
515B

MD5
e0f6f18f9b152bc2d8c710b0214805d6

SHA1
ae3d39e59fd6edc05792a76cdf4f02a637f52e29

SHA256
89ad1ea5c9c20b6b266547ef27c0ae3840cab5642d3c2aedf06b7026245671dd

SHA512
80a6a9ff925bd1ba6f57fa1f7dd40de962001af97f8c2477d0b502728e23b6f412c74134e33efb36ccfeb08bbbeb678beb7e2e52fad24a763967eba8cf09b29e

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\8b8eaff1-9501-4d58-3a5e-90f8a6f28619.run\session.json

Filesize
205B

MD5
06df072958cdbd820f13b70130c8f8a0

SHA1
94c378762ff9a19a503160bd05814a8fc3ef5cd9

SHA256
98902d8d2f18e29169cb60d5ba46974b79d841dcd0d0c243f47d7c6d663a9254

SHA512
6212959e85dbc965de7406f2a596bdb1746efead9bec35fb861f57c75e33de6c3006c6798cc09583335e1705c3771ec45621a4c84f059803823cbca8fed924a5

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\9accb9a7-0e64-4548-8296-c2d7fb92a73f.run\__sentry-event

Filesize
305B

MD5
4d3bf9c62481386d99e2a5a0828341d2

SHA1
f359b6c105b8b1ece4569075a5781eecf61ecd21

SHA256
7407a8986ef45d2c6d7438d5d2d2664ab4089d23b6a02dc786987b375a07833a

SHA512
cf250facbff061775678b7be429763a6ca818587824e622341f986acd9e4e8f81dd82e49fb5d75759c5b186c327f7f89854c54f204dc6eb1af5eef5201537993

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\settings.dat

Filesize
40B

MD5
f0695e361eda3407c992d4042c98bd96

SHA1
4750f5d01ec5434f4852e06f1a0d6867c8eaa700

SHA256
31bc96d2a96b589e9d3fbae934e22112f847415081e54ff60cf21d2c7a0f3797

SHA512
19058ec366abad9414c26ad0acc5a22a870ca4e75aa8f60626a41e3bb8814a27be5d1b37e80b5f4e608b1c9fe991584d2430dba3ebb090b75a12cb63953cdecb

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\core.dll

Filesize
7.8MB

MD5
2812dc85be549cb7ac9f2af2fd33bf23

SHA1
397162303b15457cd883c20da2a51c08fd47414b

SHA256
c0c06a8ad06ca18771acb39d53eeb4222606d817c0fd51b31f58f9bb11c08610

SHA512
0720cd21fb2f52f7b64785f1083ef8ca9a2cc0e1bfc7ae3226145a02e21befd001e4b98aaed04f2535c9d4f3c6d7f11d814f2a154836a0a78f81277b5650381c

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe

Filesize
2.3MB

MD5
3334755210b904abcb67d187770e8cbf

SHA1
27d22593374bb6611ff54562b18422ef515cf8b3

SHA256
c3f4c395b7ab3caa33dfc30a05a1e0ffba81d05ecbdc6eb9f2c901421e31c8ff

SHA512
9d8a3eadd27733dae3025542c4ac46eb3fe6923770c41b178f96f99751cb8809b3965ea1b2fd1585be5af3803e3046f47337d3fb2aa6130fd51b018549775c52

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
5a6752a89ddc99da064d5f7ddad70888

SHA1
c0aeefaa763c50ed4403f9d881d75aa1304ae81d

SHA256
523708e61d7509314047baf84d8d23a2c9dea59fa962ac58eec85c01c9877408

SHA512
4df9556a06c883c5e4dc8b37acc5be54f62cc471d482c19af54d52f160e00be98ce07bf54650cea881f9ddcf65f4c53b7f6e91aba178f64c3bff5201154b914f

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\libssl-3-x64.dll

Filesize
879KB

MD5
4a8dde272f6015afe307853acd2b21e1

SHA1
7b5c07d101e4aab1ad246f4cd1c55e497b02ee8b

SHA256
befc04fbac884fd3bbe09131efa7f6dd6713a732e31f839e6145680a41827e0f

SHA512
ff45450f195d8440fb99fbb6bcffbf1c08201c4a9b146a703bc2474d31adfbb98444657acf4d9c0be73072dba8353026d26f3dbd4b53d044099fc4c84b2c9329

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\runtimeconfig.json

Filesize
170B

MD5
351f746426eecd5f6dab7a8549706845

SHA1
25fa3a53604551783aaab0f7a47936c9b1368653

SHA256
8dc2877edafe9f042088b9ba55b5193177dc4569b36bfbd0f9141e4489fc6e94

SHA512
ce310761a102e7f0a17ddd4c07f668e746c304a7c6ea7b02e94eea3e129eff5ac49384da9cd5ee046ba150f4759afe3834b16f8a5111f037c288c464735496bd

Download Submit
memory/8-79-0x000000001BBE0000-0x000000001BC30000-memory.dmp

Filesize
320KB

Download
memory/8-80-0x000000001C560000-0x000000001C612000-memory.dmp

Filesize
712KB

Download
memory/8-83-0x000000001BC50000-0x000000001BC62000-memory.dmp

Filesize
72KB

Download
memory/8-84-0x000000001C4E0000-0x000000001C51C000-memory.dmp

Filesize
240KB

Download
memory/3152-53-0x00007FFFB7EB0000-0x00007FFFB8D02000-memory.dmp

Filesize
14.3MB

Download
memory/3152-52-0x00007FFFE06D0000-0x00007FFFE06D2000-memory.dmp

Filesize
8KB

Download
memory/4872-72-0x00000000008F0000-0x0000000000C14000-memory.dmp

Filesize
3.1MB

Download