quasar | 616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

2.6MB
MD5

6416961fe33e1461e8f5c455c2cf0ec9
SHA1

190754691dffb4d873bd32f48722d150d338f51d
SHA256

616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1
SHA512

8fe2fa84a62cf92d1136110e0b39bfb7f07646816ff9d9944a0d8523d26d2f2d46653ec2a9f1153fac6b3c585e0f742753959d496cab1f5a62c761dd0db1fc18
SSDEEP

49152:Ux8Gt7KDrJd8spKaFxZWVAItl6dXg84Hk6BOUjbqmQnN/DAP8khk2d4zV:C974P57k6dQ8bIO2uN/DAP8khkj

Score

10^/10

quasar 1 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

87.228.57.81:4782

Mutex

f832b3aa-9229-4dd0-81ec-c101146b1831

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2816-72-0x000000001BA80000-0x000000001BDA4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2768	random.tmp
2868	random.tmp

Loads dropped DLL 10 IoCs

pid	Process
2648	random.exe
2768	random.tmp
2768	random.tmp
2768	random.tmp
2548	random.exe
2868	random.tmp
2868	random.tmp
2868	random.tmp
2604	regsvr32.exe
2816	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
3012	powershell.exe
2728	powershell.exe
2728	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2868	random.tmp
2868	random.tmp
2816	regsvr32.exe
3012	powershell.exe
2728	powershell.exe
2816	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2816	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2868	random.tmp
2816	regsvr32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2816	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	regsvr32.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2768	2648	random.exe	30
PID 2648 wrote to memory of 2768	2648	random.exe	30
PID 2648 wrote to memory of 2768	2648	random.exe	30
PID 2648 wrote to memory of 2768	2648	random.exe	30
PID 2648 wrote to memory of 2768	2648	random.exe	30
PID 2648 wrote to memory of 2768	2648	random.exe	30
PID 2648 wrote to memory of 2768	2648	random.exe	30
PID 2768 wrote to memory of 2548	2768	random.tmp	31
PID 2768 wrote to memory of 2548	2768	random.tmp	31
PID 2768 wrote to memory of 2548	2768	random.tmp	31
PID 2768 wrote to memory of 2548	2768	random.tmp	31
PID 2768 wrote to memory of 2548	2768	random.tmp	31
PID 2768 wrote to memory of 2548	2768	random.tmp	31
PID 2768 wrote to memory of 2548	2768	random.tmp	31
PID 2548 wrote to memory of 2868	2548	random.exe	32
PID 2548 wrote to memory of 2868	2548	random.exe	32
PID 2548 wrote to memory of 2868	2548	random.exe	32
PID 2548 wrote to memory of 2868	2548	random.exe	32
PID 2548 wrote to memory of 2868	2548	random.exe	32
PID 2548 wrote to memory of 2868	2548	random.exe	32
PID 2548 wrote to memory of 2868	2548	random.exe	32
PID 2868 wrote to memory of 2604	2868	random.tmp	33
PID 2868 wrote to memory of 2604	2868	random.tmp	33
PID 2868 wrote to memory of 2604	2868	random.tmp	33
PID 2868 wrote to memory of 2604	2868	random.tmp	33
PID 2868 wrote to memory of 2604	2868	random.tmp	33
PID 2868 wrote to memory of 2604	2868	random.tmp	33
PID 2868 wrote to memory of 2604	2868	random.tmp	33
PID 2604 wrote to memory of 2816	2604	regsvr32.exe	34
PID 2604 wrote to memory of 2816	2604	regsvr32.exe	34
PID 2604 wrote to memory of 2816	2604	regsvr32.exe	34
PID 2604 wrote to memory of 2816	2604	regsvr32.exe	34
PID 2604 wrote to memory of 2816	2604	regsvr32.exe	34
PID 2604 wrote to memory of 2816	2604	regsvr32.exe	34
PID 2604 wrote to memory of 2816	2604	regsvr32.exe	34
PID 2816 wrote to memory of 3012	2816	regsvr32.exe	35
PID 2816 wrote to memory of 3012	2816	regsvr32.exe	35
PID 2816 wrote to memory of 3012	2816	regsvr32.exe	35
PID 2816 wrote to memory of 2728	2816	regsvr32.exe	37
PID 2816 wrote to memory of 2728	2816	regsvr32.exe	37
PID 2816 wrote to memory of 2728	2816	regsvr32.exe	37

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\is-IK4HH.tmp\random.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IK4HH.tmp\random.tmp" /SL5="$50150,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\is-JD6RU.tmp\random.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JD6RU.tmp\random.tmp" /SL5="$60150,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{CAA9C0CA-58FA-4892-8993-B5D4C5B90D2B}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv

Filesize
4.1MB

MD5
6fb91b9f96c8a0f6e20e75377152363a

SHA1
be3ed35dee6b517b9e846bc431197c2d6239f8e1

SHA256
be67966b82dcb5e838095d0ebcccbc854b6eae9d6ac30329457019f2d7d119ae

SHA512
da994e4ee32aee52d98d21ab69887d94efe186d9e0a34b2cc09e0da949fb25a10de464136c305a66c332457d876e5e6ce2acaf6c4f1ba00f7e6345cdda030996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OZZ0N6TUQYDGNPALX23O.temp

Filesize
7KB

MD5
1e64ecd9bee7379d4411eb944b23d9e2

SHA1
93f58e7367153a421aa8f9303b12623f834739a0

SHA256
290181e8efbf336024c80faa4c7c856a4d1e0ffc2f887026f1457e646576cad8

SHA512
cc115032d757f39b52b0e190f36dc014ae3d4e82d040f07a2a70f323918618d9ec760522463044298f73affdcc0cb3acaadb5cb37608020091ce76be3d113790

Download Submit
\Users\Admin\AppData\Local\Temp\is-51E7C.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-51E7C.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IK4HH.tmp\random.tmp

Filesize
1.2MB

MD5
1db83d1bc949e72509f0e752316ec5d0

SHA1
154d7bd59581ea106d8a02586feaf5c38f806d39

SHA256
57c68e06bd351b2fde4f25f04c89fc265c0c3ce3184fb0caca3410b6eac04a49

SHA512
ff0eba3e3a9407107d2e5875d4369be68c1f1f43144aea8c9b530824f3b9c837705ecd0c7d94bbaadfa59bb273b7e59392bef3d9aaf643353e4b935f8745d4b2

Download Submit
memory/2548-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2548-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2548-25-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2648-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2648-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2648-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2728-69-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2728-70-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2768-24-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2768-14-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2816-72-0x000000001BA80000-0x000000001BDA4000-memory.dmp

Filesize
3.1MB

Download
memory/2816-73-0x000007FEF6620000-0x000007FEF6A21000-memory.dmp

Filesize
4.0MB

Download
memory/2868-51-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3012-61-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/3012-62-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download