quasar | 85f453be7ee3915a11d51992cb30135849abf25006668b2b2589bc96bdca5a20

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.2MB
MD5

9829267eb5a37773b209963bbed9e419
SHA1

5d812309f2fe6b21fc0c8f5a5b84b19d2c5df121
SHA256

85f453be7ee3915a11d51992cb30135849abf25006668b2b2589bc96bdca5a20
SHA512

77aa1134121991fae234532f6ae754aecbc55784a60e229b0128a442004103486263b243168672c6552f3ab24cbf2a4a9209e8aaf05af0b24c9b9c4bffccdcd7
SSDEEP

98304:3vj52fyaSZOrPWluWBDG5g5h5ppFUHBp:fa+5xjU

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

localhost:4782

Mutex

e6dd4e3c-69b8-4cc3-bd87-255fbec8b149

Attributes

encryption_key
3B9457A501B5D0EA09920FB91E1FFB2405E7981F
install_name
WinRAR.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WinRAR
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4976-1-0x0000000000160000-0x000000000049C000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c83-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
5092	WinRAR.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4468	schtasks.exe
2972	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	Client-built.exe
Token: SeDebugPrivilege	5092	WinRAR.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4468	4976	Client-built.exe	84
PID 4976 wrote to memory of 4468	4976	Client-built.exe	84
PID 4976 wrote to memory of 5092	4976	Client-built.exe	86
PID 4976 wrote to memory of 5092	4976	Client-built.exe	86
PID 5092 wrote to memory of 2972	5092	WinRAR.exe	90
PID 5092 wrote to memory of 2972	5092	WinRAR.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WinRAR" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WinRAR.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4468
- C:\Users\Admin\AppData\Roaming\SubDir\WinRAR.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WinRAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WinRAR" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WinRAR.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\WinRAR.exe

Filesize
3.2MB

MD5
9829267eb5a37773b209963bbed9e419

SHA1
5d812309f2fe6b21fc0c8f5a5b84b19d2c5df121

SHA256
85f453be7ee3915a11d51992cb30135849abf25006668b2b2589bc96bdca5a20

SHA512
77aa1134121991fae234532f6ae754aecbc55784a60e229b0128a442004103486263b243168672c6552f3ab24cbf2a4a9209e8aaf05af0b24c9b9c4bffccdcd7

Download Submit
memory/4976-0-0x00007FFF5C493000-0x00007FFF5C495000-memory.dmp

Filesize
8KB

Download
memory/4976-1-0x0000000000160000-0x000000000049C000-memory.dmp

Filesize
3.2MB

Download
memory/4976-2-0x00007FFF5C490000-0x00007FFF5CF51000-memory.dmp

Filesize
10.8MB

Download
memory/4976-9-0x00007FFF5C490000-0x00007FFF5CF51000-memory.dmp

Filesize
10.8MB

Download
memory/5092-10-0x00007FFF5C490000-0x00007FFF5CF51000-memory.dmp

Filesize
10.8MB

Download
memory/5092-11-0x00007FFF5C490000-0x00007FFF5CF51000-memory.dmp

Filesize
10.8MB

Download
memory/5092-12-0x000000001BED0000-0x000000001BF20000-memory.dmp

Filesize
320KB

Download
memory/5092-13-0x000000001BFE0000-0x000000001C092000-memory.dmp

Filesize
712KB

Download
memory/5092-14-0x00007FFF5C490000-0x00007FFF5CF51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads