quasar | 77153049f33480d1b665c68aa0732e531f963f9acb04b9e016baafeca3b54dd8

Analysis

max time kernel
33s
max time network
24s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BPLogger-main/BPLogger.rar
Size

1.2MB
MD5

02f7e1af9b8e6814a2ef3ebdd35dd908
SHA1

2b34deb211e851aad0e4978e6311b01a79a7a9be
SHA256

03894b7e34b167b23dbde4b660087d3bc0aef490097c8fe8dda1e7e5903d70f8
SHA512

a2ac2d110a36c99d790c4b54d7282e62e51a799a059716972022b5f59efb0f461f3c6e0ff5b8cc48a4ffc238577020248a22a35460f7218bbc046e431440b93c
SSDEEP

24576:gkpv3JUiN1ruQuR2MzauUYTQniyqJ1AM5e4QXDDb0fblR/2OXEzPyfvc:NB37ZIWuUiQnAJ1AMiXDDb6blUQEzPyM

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes

encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
install_name
Bootstrapper.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Spotify
subdirectory
system32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral3/files/0x0009000000018bcd-4.dat	family_quasar
behavioral3/memory/2236-11-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar
behavioral3/memory/2644-16-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral3/memory/768-27-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2236	BPLogger.exe
2644	Bootstrapper.exe
768	Bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2980	PING.EXE
1736	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2980	PING.EXE
1736	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
2636	schtasks.exe
672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2484	7zFM.exe
2484	7zFM.exe
2484	7zFM.exe
2484	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2484	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2484	7zFM.exe
Token: 35	2484	7zFM.exe
Token: SeSecurityPrivilege	2484	7zFM.exe
Token: SeDebugPrivilege	2236	BPLogger.exe
Token: SeDebugPrivilege	2644	Bootstrapper.exe
Token: SeDebugPrivilege	768	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2484	7zFM.exe
2484	7zFM.exe
2644	Bootstrapper.exe
768	Bootstrapper.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2644	Bootstrapper.exe
768	Bootstrapper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	Bootstrapper.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2236	2484	7zFM.exe	31
PID 2484 wrote to memory of 2236	2484	7zFM.exe	31
PID 2484 wrote to memory of 2236	2484	7zFM.exe	31
PID 2236 wrote to memory of 2772	2236	BPLogger.exe	32
PID 2236 wrote to memory of 2772	2236	BPLogger.exe	32
PID 2236 wrote to memory of 2772	2236	BPLogger.exe	32
PID 2236 wrote to memory of 2644	2236	BPLogger.exe	34
PID 2236 wrote to memory of 2644	2236	BPLogger.exe	34
PID 2236 wrote to memory of 2644	2236	BPLogger.exe	34
PID 2644 wrote to memory of 2636	2644	Bootstrapper.exe	35
PID 2644 wrote to memory of 2636	2644	Bootstrapper.exe	35
PID 2644 wrote to memory of 2636	2644	Bootstrapper.exe	35
PID 2644 wrote to memory of 2508	2644	Bootstrapper.exe	37
PID 2644 wrote to memory of 2508	2644	Bootstrapper.exe	37
PID 2644 wrote to memory of 2508	2644	Bootstrapper.exe	37
PID 2508 wrote to memory of 2632	2508	cmd.exe	39
PID 2508 wrote to memory of 2632	2508	cmd.exe	39
PID 2508 wrote to memory of 2632	2508	cmd.exe	39
PID 2508 wrote to memory of 2980	2508	cmd.exe	40
PID 2508 wrote to memory of 2980	2508	cmd.exe	40
PID 2508 wrote to memory of 2980	2508	cmd.exe	40
PID 2508 wrote to memory of 768	2508	cmd.exe	41
PID 2508 wrote to memory of 768	2508	cmd.exe	41
PID 2508 wrote to memory of 768	2508	cmd.exe	41
PID 768 wrote to memory of 672	768	Bootstrapper.exe	42
PID 768 wrote to memory of 672	768	Bootstrapper.exe	42
PID 768 wrote to memory of 672	768	Bootstrapper.exe	42
PID 768 wrote to memory of 2324	768	Bootstrapper.exe	44
PID 768 wrote to memory of 2324	768	Bootstrapper.exe	44
PID 768 wrote to memory of 2324	768	Bootstrapper.exe	44
PID 2324 wrote to memory of 1988	2324	cmd.exe	46
PID 2324 wrote to memory of 1988	2324	cmd.exe	46
PID 2324 wrote to memory of 1988	2324	cmd.exe	46
PID 2324 wrote to memory of 1736	2324	cmd.exe	47
PID 2324 wrote to memory of 1736	2324	cmd.exe	47
PID 2324 wrote to memory of 1736	2324	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BPLogger-main\BPLogger.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\7zO4B9660E6\BPLogger.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B9660E6\BPLogger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2772
- - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
    "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2636
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgKdTfdxWGJu.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2632
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2980
    - - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:672
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuQD0BujKcSC.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4B9660E6\BPLogger.exe

Filesize
3.1MB

MD5
14b871855a9046ef9aedeec80f9c2d86

SHA1
32c0ad34f524748b76c090fc881b75b928341e7e

SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuQD0BujKcSC.bat

Filesize
215B

MD5
769760a89d6c63df1108984ece0d1483

SHA1
6ce8888c7f3495512b384ee50d37eef7f1f4595e

SHA256
3cda9c0a3261d785bd2ea656bad25ea4962e4c4b4bcd3d942607fc5fa8c78c9b

SHA512
f9c0131673770bc06c3e605e5574ae2bb9f939eeebbd361c8386cd2de21a88e26dab0a546e08e8547bc8040d0298292939aa613a58d83a0e78b3f5a12777a9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgKdTfdxWGJu.bat

Filesize
215B

MD5
736bfabe00749e51a5801a8775f2c7b2

SHA1
b3affffde44ebe2d8036d5718e4f3d7026689ae7

SHA256
beb8025fe5c3a830d31b1245c92025e4579538da79ea3568bc3ba5ff09bf2ee0

SHA512
2f552232c1e2c83fea276068ce6db550d7315bb361d4900d8ab68543e2ccb8da4f5e9db350b95e3aaa0f8c7a6f42cd166265b77a20ada8a0fa82315e15a54087

Download Submit
memory/768-27-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/2236-11-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/2644-16-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download