quasar | 72209f1e92435b27f56db50ee9db7b82ebb11a6fb37ea5ade6cda13fc2c0d00c

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/02/2025, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment010225.exe
Size

951KB
MD5

b76d3e743d68ca1e3f04d641bfcc3ec7
SHA1

d2d4fea6920a1a737199ce0fcac7c44adb5d7bd8
SHA256

72209f1e92435b27f56db50ee9db7b82ebb11a6fb37ea5ade6cda13fc2c0d00c
SHA512

c1e29917358740c56e9c83a0a5e8ea48d368806a0b71b2a240df9f5568cb7dc0d7b18e2959fe5b40d4ada2733594b6c17e705f6181c3a38eeaa1efd0ab24558b
SSDEEP

24576:JPzFQtxBAb2JewjA/s5TqKnNiw0RALH0+XxryrSwg2J:1FC+2jpnNiRSXxqgM

Score

10^/10

quasar stroy discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Stroy

109.248.151.166:61537

Mutex

QSR_MUTEX_uHD8seWaFzpqqYxRLX

Attributes

encryption_key
IR3AcRhjtuelpwNmTP7v
install_name
Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2016-4-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2016-8-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2016-6-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2768	Updater.exe
2632	Updater.exe
2588	Updater.exe

Loads dropped DLL 3 IoCs

pid	Process
2016	Payment010225.exe
2768	Updater.exe
2768	Updater.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2016	2168	Payment010225.exe	30
PID 2168 set thread context of 1628	2168	Payment010225.exe	31
PID 2768 set thread context of 2632	2768	Updater.exe	36
PID 2768 set thread context of 2588	2768	Updater.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment010225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment010225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment010225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe
2892	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	Payment010225.exe
Token: SeDebugPrivilege	2016	Payment010225.exe
Token: SeDebugPrivilege	2768	Updater.exe
Token: SeDebugPrivilege	2632	Updater.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 2016	2168	Payment010225.exe	30
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2168 wrote to memory of 1628	2168	Payment010225.exe	31
PID 2016 wrote to memory of 2836	2016	Payment010225.exe	33
PID 2016 wrote to memory of 2836	2016	Payment010225.exe	33
PID 2016 wrote to memory of 2836	2016	Payment010225.exe	33
PID 2016 wrote to memory of 2836	2016	Payment010225.exe	33
PID 2016 wrote to memory of 2768	2016	Payment010225.exe	35
PID 2016 wrote to memory of 2768	2016	Payment010225.exe	35
PID 2016 wrote to memory of 2768	2016	Payment010225.exe	35
PID 2016 wrote to memory of 2768	2016	Payment010225.exe	35
PID 2016 wrote to memory of 2768	2016	Payment010225.exe	35
PID 2016 wrote to memory of 2768	2016	Payment010225.exe	35
PID 2016 wrote to memory of 2768	2016	Payment010225.exe	35
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2632	2768	Updater.exe	36
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2768 wrote to memory of 2588	2768	Updater.exe	37
PID 2632 wrote to memory of 2892	2632	Updater.exe	38
PID 2632 wrote to memory of 2892	2632	Updater.exe	38
PID 2632 wrote to memory of 2892	2632	Updater.exe	38
PID 2632 wrote to memory of 2892	2632	Updater.exe	38

C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
"C:\Users\Admin\AppData\Local\Temp\Payment010225.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
  C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Payment010225.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2836
- - C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
    "C:\Users\Admin\AppData\Roaming\Windows\Updater.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
      C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Updater.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
  - - C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
      C:\Users\Admin\AppData\Roaming\Windows\Updater.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2588
- C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
  C:\Users\Admin\AppData\Local\Temp\Payment010225.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Windows\Updater.exe

Filesize
951KB

MD5
b76d3e743d68ca1e3f04d641bfcc3ec7

SHA1
d2d4fea6920a1a737199ce0fcac7c44adb5d7bd8

SHA256
72209f1e92435b27f56db50ee9db7b82ebb11a6fb37ea5ade6cda13fc2c0d00c

SHA512
c1e29917358740c56e9c83a0a5e8ea48d368806a0b71b2a240df9f5568cb7dc0d7b18e2959fe5b40d4ada2733594b6c17e705f6181c3a38eeaa1efd0ab24558b

Download Submit
memory/1628-19-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1628-17-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1628-15-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-18-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-14-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-27-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-2-0x0000000006DA0000-0x0000000006EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2168-16-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-3-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000000EB0000-0x0000000000FA4000-memory.dmp

Filesize
976KB

Download
memory/2768-26-0x0000000000A20000-0x0000000000B14000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads