quasar | ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9

Analysis

max time kernel
87s
max time network
64s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-02-2025 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote RFQ #00926720250204.pdf(39kb).com.exe
Size

3.6MB
MD5

07a4d2a1981e4159e744e3f0bb8d655f
SHA1

fe47d1646972e85667408a28d8db2f2c17b7a313
SHA256

ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9
SHA512

b03cd73c43a0e6a536857b523fa5c96910bf8a73002bb4bd7b8315f951eb9e1f625e3e3804a31cec689b6d8a427df600547cf4becf8494c3c3397a2382a55a4e
SSDEEP

98304:6inq/fUlXQu4UB5uq8yPk4KVJgGSg/RSpSTddPTC:3q/fyD4UAlyfKV7Sg/QwTrP

Score

10^/10

quasar es code discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ES CODE

twart.myfirewall.org:9792

rency.ydns.eu:5287

wqo9.firewall-gateway.de:8841

code1.ydns.eu:5287

wqo9.firewall-gateway.de:9792

Mutex

025351e291-5d1041-4fa37-932c7-8L69aeiQec514992

Attributes

encryption_key
3145298725BA5E0DD56E87FFE3F8898EA81E6EDA
install_name
Excelworkbook.exe
log_directory
Logs
reconnect_delay
6000
startup_key
pdfdocument
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2760-18-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2760-15-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2760-13-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2760-10-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2760-9-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Executes dropped EXE 8 IoCs

pid	Process
2180	Excelworkbook.exe
1996	Excelworkbook.exe
1124	Excelworkbook.exe
2456	Excelworkbook.exe
2444	Excelworkbook.exe
2316	Excelworkbook.exe
2380	Excelworkbook.exe
2424	Excelworkbook.exe

Loads dropped DLL 3 IoCs

pid	Process
2760	Quote RFQ #00926720250204.pdf(39kb).com.exe
2760	Quote RFQ #00926720250204.pdf(39kb).com.exe
2996	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2180 set thread context of 1996	2180	Excelworkbook.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Excelworkbook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quote RFQ #00926720250204.pdf(39kb).com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Excelworkbook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Excelworkbook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quote RFQ #00926720250204.pdf(39kb).com.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1056	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1056	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2980	schtasks.exe
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe
1124	Excelworkbook.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe
Token: SeDebugPrivilege	1996	Excelworkbook.exe
Token: SeDebugPrivilege	1124	Excelworkbook.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1996	Excelworkbook.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2324 wrote to memory of 2760	2324	Quote RFQ #00926720250204.pdf(39kb).com.exe	29
PID 2760 wrote to memory of 2980	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	30
PID 2760 wrote to memory of 2980	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	30
PID 2760 wrote to memory of 2980	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	30
PID 2760 wrote to memory of 2980	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	30
PID 2760 wrote to memory of 2180	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	32
PID 2760 wrote to memory of 2180	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	32
PID 2760 wrote to memory of 2180	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	32
PID 2760 wrote to memory of 2180	2760	Quote RFQ #00926720250204.pdf(39kb).com.exe	32
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 2180 wrote to memory of 1996	2180	Excelworkbook.exe	33
PID 1996 wrote to memory of 2532	1996	Excelworkbook.exe	34
PID 1996 wrote to memory of 2532	1996	Excelworkbook.exe	34
PID 1996 wrote to memory of 2532	1996	Excelworkbook.exe	34
PID 1996 wrote to memory of 2532	1996	Excelworkbook.exe	34
PID 1996 wrote to memory of 2996	1996	Excelworkbook.exe	36
PID 1996 wrote to memory of 2996	1996	Excelworkbook.exe	36
PID 1996 wrote to memory of 2996	1996	Excelworkbook.exe	36
PID 1996 wrote to memory of 2996	1996	Excelworkbook.exe	36
PID 2996 wrote to memory of 1360	2996	cmd.exe	38
PID 2996 wrote to memory of 1360	2996	cmd.exe	38
PID 2996 wrote to memory of 1360	2996	cmd.exe	38
PID 2996 wrote to memory of 1360	2996	cmd.exe	38
PID 2996 wrote to memory of 1056	2996	cmd.exe	39
PID 2996 wrote to memory of 1056	2996	cmd.exe	39
PID 2996 wrote to memory of 1056	2996	cmd.exe	39
PID 2996 wrote to memory of 1056	2996	cmd.exe	39
PID 2996 wrote to memory of 1124	2996	cmd.exe	40
PID 2996 wrote to memory of 1124	2996	cmd.exe	40
PID 2996 wrote to memory of 1124	2996	cmd.exe	40
PID 2996 wrote to memory of 1124	2996	cmd.exe	40
PID 1124 wrote to memory of 2456	1124	Excelworkbook.exe	41
PID 1124 wrote to memory of 2456	1124	Excelworkbook.exe	41
PID 1124 wrote to memory of 2456	1124	Excelworkbook.exe	41
PID 1124 wrote to memory of 2456	1124	Excelworkbook.exe	41
PID 1124 wrote to memory of 2444	1124	Excelworkbook.exe	42
PID 1124 wrote to memory of 2444	1124	Excelworkbook.exe	42
PID 1124 wrote to memory of 2444	1124	Excelworkbook.exe	42
PID 1124 wrote to memory of 2444	1124	Excelworkbook.exe	42
PID 1124 wrote to memory of 2316	1124	Excelworkbook.exe	43
PID 1124 wrote to memory of 2316	1124	Excelworkbook.exe	43
PID 1124 wrote to memory of 2316	1124	Excelworkbook.exe	43
PID 1124 wrote to memory of 2316	1124	Excelworkbook.exe	43
PID 1124 wrote to memory of 2380	1124	Excelworkbook.exe	44
PID 1124 wrote to memory of 2380	1124	Excelworkbook.exe	44
PID 1124 wrote to memory of 2380	1124	Excelworkbook.exe	44
PID 1124 wrote to memory of 2380	1124	Excelworkbook.exe	44
PID 1124 wrote to memory of 2424	1124	Excelworkbook.exe	45
PID 1124 wrote to memory of 2424	1124	Excelworkbook.exe	45

C:\Users\Admin\AppData\Local\Temp\Quote RFQ #00926720250204.pdf(39kb).com.exe
"C:\Users\Admin\AppData\Local\Temp\Quote RFQ #00926720250204.pdf(39kb).com.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\Quote RFQ #00926720250204.pdf(39kb).com.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote RFQ #00926720250204.pdf(39kb).com.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2980
- - C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Syqdligwcce3.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
      - C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
        7⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
        7⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
        7⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
        7⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
        7⤵
        Executes dropped EXE
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Syqdligwcce3.bat

Filesize
214B

MD5
4e5cd7dd8dbe62c4586da049624a7762

SHA1
da3bbfefc5ce66046769a86774cf6a8b9aecece6

SHA256
03b834a39e6b216d0fba2e48771936a3493edb7d6b37d955a11ff927ff0321df

SHA512
16269b19612b7aec8407f9676e747700d564a10fcb3941a2f24e815cba26bf6c67dc6a5e5183a8be5d16639ee130950ee11c434b2896bbb25c168a7021a5cc2d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe

Filesize
3.6MB

MD5
07a4d2a1981e4159e744e3f0bb8d655f

SHA1
fe47d1646972e85667408a28d8db2f2c17b7a313

SHA256
ce54308e4ba6119f23d6e430e936d1f7dc5f8156c61003e05883c7adbf94e9d9

SHA512
b03cd73c43a0e6a536857b523fa5c96910bf8a73002bb4bd7b8315f951eb9e1f625e3e3804a31cec689b6d8a427df600547cf4becf8494c3c3397a2382a55a4e

Download Submit
memory/1124-58-0x00000000000C0000-0x0000000000462000-memory.dmp

Filesize
3.6MB

Download
memory/1996-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2180-33-0x00000000009C0000-0x0000000000D62000-memory.dmp

Filesize
3.6MB

Download
memory/2324-6-0x000000000B0B0000-0x000000000B418000-memory.dmp

Filesize
3.4MB

Download
memory/2324-5-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2324-1-0x0000000000840000-0x0000000000BE2000-memory.dmp

Filesize
3.6MB

Download
memory/2324-2-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2324-3-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/2324-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2324-4-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2324-19-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-13-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2760-21-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-10-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2760-9-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2760-8-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2760-20-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-32-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-15-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2760-18-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2760-7-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download