quasar | 175ec7e1176528a017ac2709fa1132d38d13dbf1e56ccd92813f5f0de0c67cbf

Analysis

max time kernel
52s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2025 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

cb477316add6ca54244dd574ffeb1643
SHA1

920cefdc72dcfc129b9134be11e204a1f7966f42
SHA256

175ec7e1176528a017ac2709fa1132d38d13dbf1e56ccd92813f5f0de0c67cbf
SHA512

e93edbe7055815880fa4843af709e04cb0923c73f643cfa3380704a1a75ef316b751fb7b5a36189c51a50476b39cc7a4e46ae390b717896a4175d061e779538f
SSDEEP

49152:SvyI22SsaNYfdPBldt698dBcjHcUA38arAgoGd9THHB72eh2NT:Svf22SsaNYfdPBldt6+dBcjHg3Z

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

98.218.3.74:4782

Mutex

3808ff71-c2df-4538-8d66-6459677347c3

Attributes

encryption_key
24BCF759F51AE66E5C4BF0A521BA79747D6F977F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/916-1-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/files/0x001900000002aebb-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4556	Client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1268	schtasks.exe
3864	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	Client-built.exe
Token: SeDebugPrivilege	4556	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4556	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1268	916	Client-built.exe	82
PID 916 wrote to memory of 1268	916	Client-built.exe	82
PID 916 wrote to memory of 4556	916	Client-built.exe	84
PID 916 wrote to memory of 4556	916	Client-built.exe	84
PID 4556 wrote to memory of 3864	4556	Client.exe	85
PID 4556 wrote to memory of 3864	4556	Client.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1268
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
cb477316add6ca54244dd574ffeb1643

SHA1
920cefdc72dcfc129b9134be11e204a1f7966f42

SHA256
175ec7e1176528a017ac2709fa1132d38d13dbf1e56ccd92813f5f0de0c67cbf

SHA512
e93edbe7055815880fa4843af709e04cb0923c73f643cfa3380704a1a75ef316b751fb7b5a36189c51a50476b39cc7a4e46ae390b717896a4175d061e779538f

Download Submit
memory/916-0-0x00007FFF94433000-0x00007FFF94435000-memory.dmp

Filesize
8KB

Download
memory/916-1-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/916-2-0x00007FFF94430000-0x00007FFF94EF2000-memory.dmp

Filesize
10.8MB

Download
memory/916-9-0x00007FFF94430000-0x00007FFF94EF2000-memory.dmp

Filesize
10.8MB

Download
memory/4556-10-0x00007FFF94430000-0x00007FFF94EF2000-memory.dmp

Filesize
10.8MB

Download
memory/4556-11-0x00007FFF94430000-0x00007FFF94EF2000-memory.dmp

Filesize
10.8MB

Download
memory/4556-12-0x000000001BC10000-0x000000001BC60000-memory.dmp

Filesize
320KB

Download
memory/4556-13-0x000000001C860000-0x000000001C912000-memory.dmp

Filesize
712KB

Download
memory/4556-14-0x00007FFF94430000-0x00007FFF94EF2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads