Overview

overview

10

Static

static

10

BPLogger-main.zip

windows7-x64

1

BPLogger-main.zip

windows10-2004-x64

1

BPLogger-m...er.rar

windows7-x64

10

BPLogger-m...er.rar

windows10-2004-x64

10

BPLogger.exe

windows7-x64

10

BPLogger.exe

windows10-2004-x64

10

tapi.dll

windows7-x64

1

tapi.dll

windows10-2004-x64

1

x64.dll

windows7-x64

3

x64.dll

windows10-2004-x64

3

BPLogger-m...DME.md

windows7-x64

3

BPLogger-m...DME.md

windows10-2004-x64

3

Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2025 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BPLogger-main/BPLogger.rar

  • Size

    1.2MB

  • MD5

    02f7e1af9b8e6814a2ef3ebdd35dd908

  • SHA1

    2b34deb211e851aad0e4978e6311b01a79a7a9be

  • SHA256

    03894b7e34b167b23dbde4b660087d3bc0aef490097c8fe8dda1e7e5903d70f8

  • SHA512

    a2ac2d110a36c99d790c4b54d7282e62e51a799a059716972022b5f59efb0f461f3c6e0ff5b8cc48a4ffc238577020248a22a35460f7218bbc046e431440b93c

  • SSDEEP

    24576:gkpv3JUiN1ruQuR2MzauUYTQniyqJ1AM5e4QXDDb0fblR/2OXEzPyfvc:NB37ZIWuUiQnAJ1AMiXDDb6blUQEzPyM

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes
  • encryption_key

    97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7

  • install_name

    Bootstrapper.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Spotify

  • subdirectory

    system32

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BPLogger-main\BPLogger.rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\7zO8CA3C5B7\BPLogger.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8CA3C5B7\BPLogger.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:544
      • C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1944
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9UsveWZ9AVUg.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3244
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:3076
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zO8CA3C5B7\BPLogger.exe
      Filesize

      3.1MB

      MD5

      14b871855a9046ef9aedeec80f9c2d86

      SHA1

      32c0ad34f524748b76c090fc881b75b928341e7e

      SHA256

      b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

      SHA512

      7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9UsveWZ9AVUg.bat
      Filesize

      215B

      MD5

      a543824b95dff998a57497d53bad7a38

      SHA1

      b4ddcac05157907651228e24186bf7d3f28df474

      SHA256

      d55e50f6ea79a91dee64d110b4106b083a4e5123f720ca4c6fa64c146fa12913

      SHA512

      2cd570d9022c04b0a171120aa9287c0d4ae0932d9daf6c74bdeebd569e2aecb6dc8e11e64fdedb3ed60281a4c4eae804ef5bb2e0fb0842153f954ead327e23b1

      Download Submit

    • memory/632-12-0x00007FFA5A553000-0x00007FFA5A555000-memory.dmp

      Filesize

      8KB

      Download

    • memory/632-13-0x00000000007C0000-0x0000000000AE4000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/632-14-0x00007FFA5A550000-0x00007FFA5B011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/632-20-0x00007FFA5A550000-0x00007FFA5B011000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5028-21-0x000000001C2C0000-0x000000001C310000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5028-22-0x000000001C3D0000-0x000000001C482000-memory.dmp

      Filesize

      712KB

      Download