quasar | 616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

2.6MB
MD5

6416961fe33e1461e8f5c455c2cf0ec9
SHA1

190754691dffb4d873bd32f48722d150d338f51d
SHA256

616bbced150df4c538374a032a176e88165f5e95f3fffaeae28ffa68cda552a1
SHA512

8fe2fa84a62cf92d1136110e0b39bfb7f07646816ff9d9944a0d8523d26d2f2d46653ec2a9f1153fac6b3c585e0f742753959d496cab1f5a62c761dd0db1fc18
SSDEEP

49152:Ux8Gt7KDrJd8spKaFxZWVAItl6dXg84Hk6BOUjbqmQnN/DAP8khk2d4zV:C974P57k6dQ8bIO2uN/DAP8khkj

Score

10^/10

quasar 1 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

87.228.57.81:4782

Mutex

f832b3aa-9229-4dd0-81ec-c101146b1831

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2804-72-0x000000001BAA0000-0x000000001BDC4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2376	random.tmp
2156	random.tmp

Loads dropped DLL 10 IoCs

pid	Process
2356	random.exe
2376	random.tmp
2376	random.tmp
2376	random.tmp
2372	random.exe
2156	random.tmp
2156	random.tmp
2156	random.tmp
2732	regsvr32.exe
2804	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
2624	powershell.exe
2624	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2156	random.tmp
2156	random.tmp
2804	regsvr32.exe
2724	powershell.exe
2624	powershell.exe
2804	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2804	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2156	random.tmp
2804	regsvr32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2804	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	regsvr32.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2376	2356	random.exe	30
PID 2356 wrote to memory of 2376	2356	random.exe	30
PID 2356 wrote to memory of 2376	2356	random.exe	30
PID 2356 wrote to memory of 2376	2356	random.exe	30
PID 2356 wrote to memory of 2376	2356	random.exe	30
PID 2356 wrote to memory of 2376	2356	random.exe	30
PID 2356 wrote to memory of 2376	2356	random.exe	30
PID 2376 wrote to memory of 2372	2376	random.tmp	31
PID 2376 wrote to memory of 2372	2376	random.tmp	31
PID 2376 wrote to memory of 2372	2376	random.tmp	31
PID 2376 wrote to memory of 2372	2376	random.tmp	31
PID 2376 wrote to memory of 2372	2376	random.tmp	31
PID 2376 wrote to memory of 2372	2376	random.tmp	31
PID 2376 wrote to memory of 2372	2376	random.tmp	31
PID 2372 wrote to memory of 2156	2372	random.exe	32
PID 2372 wrote to memory of 2156	2372	random.exe	32
PID 2372 wrote to memory of 2156	2372	random.exe	32
PID 2372 wrote to memory of 2156	2372	random.exe	32
PID 2372 wrote to memory of 2156	2372	random.exe	32
PID 2372 wrote to memory of 2156	2372	random.exe	32
PID 2372 wrote to memory of 2156	2372	random.exe	32
PID 2156 wrote to memory of 2732	2156	random.tmp	33
PID 2156 wrote to memory of 2732	2156	random.tmp	33
PID 2156 wrote to memory of 2732	2156	random.tmp	33
PID 2156 wrote to memory of 2732	2156	random.tmp	33
PID 2156 wrote to memory of 2732	2156	random.tmp	33
PID 2156 wrote to memory of 2732	2156	random.tmp	33
PID 2156 wrote to memory of 2732	2156	random.tmp	33
PID 2732 wrote to memory of 2804	2732	regsvr32.exe	34
PID 2732 wrote to memory of 2804	2732	regsvr32.exe	34
PID 2732 wrote to memory of 2804	2732	regsvr32.exe	34
PID 2732 wrote to memory of 2804	2732	regsvr32.exe	34
PID 2732 wrote to memory of 2804	2732	regsvr32.exe	34
PID 2732 wrote to memory of 2804	2732	regsvr32.exe	34
PID 2732 wrote to memory of 2804	2732	regsvr32.exe	34
PID 2804 wrote to memory of 2724	2804	regsvr32.exe	35
PID 2804 wrote to memory of 2724	2804	regsvr32.exe	35
PID 2804 wrote to memory of 2724	2804	regsvr32.exe	35
PID 2804 wrote to memory of 2624	2804	regsvr32.exe	37
PID 2804 wrote to memory of 2624	2804	regsvr32.exe	37
PID 2804 wrote to memory of 2624	2804	regsvr32.exe	37

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\is-3AH8G.tmp\random.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3AH8G.tmp\random.tmp" /SL5="$50150,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\is-SLFBM.tmp\random.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SLFBM.tmp\random.tmp" /SL5="$60150,2299112,208384,C:\Users\Admin\AppData\Local\Temp\random.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\8dnsapi_5.drv"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{10A745F8-9F47-4925-F8B0-2BBBCDF95E06}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8dnsapi_5.drv

Filesize
4.1MB

MD5
6fb91b9f96c8a0f6e20e75377152363a

SHA1
be3ed35dee6b517b9e846bc431197c2d6239f8e1

SHA256
be67966b82dcb5e838095d0ebcccbc854b6eae9d6ac30329457019f2d7d119ae

SHA512
da994e4ee32aee52d98d21ab69887d94efe186d9e0a34b2cc09e0da949fb25a10de464136c305a66c332457d876e5e6ce2acaf6c4f1ba00f7e6345cdda030996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
41f4976c7cf0015ebef6e591cd1ab24b

SHA1
6d6e7d7cd574dd6360b82050d1aa920e041c30e1

SHA256
801c4488bd76f2cf272c393e0ea7cfddf6d19e8604b13500d01c29f2aace6910

SHA512
045b01f2433108d471d99b0667fdf2d592f19a86b428b9d8cd3e8d9468a5e8db2b298462637651cdcc443e37793ebbc05f0ec1d83b93b1872741454907a0dae3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3AH8G.tmp\random.tmp

Filesize
1.2MB

MD5
1db83d1bc949e72509f0e752316ec5d0

SHA1
154d7bd59581ea106d8a02586feaf5c38f806d39

SHA256
57c68e06bd351b2fde4f25f04c89fc265c0c3ce3184fb0caca3410b6eac04a49

SHA512
ff0eba3e3a9407107d2e5875d4369be68c1f1f43144aea8c9b530824f3b9c837705ecd0c7d94bbaadfa59bb273b7e59392bef3d9aaf643353e4b935f8745d4b2

Download Submit
\Users\Admin\AppData\Local\Temp\is-BAQIF.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-BAQIF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2156-51-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2356-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2356-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2356-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2372-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-25-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2372-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2376-8-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2376-24-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2624-69-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2624-70-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2724-61-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2724-62-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2804-72-0x000000001BAA0000-0x000000001BDC4000-memory.dmp

Filesize
3.1MB

Download
memory/2804-73-0x000007FEF6610000-0x000007FEF6A11000-memory.dmp

Filesize
4.0MB

Download