quasar | aeefbc3356c7f36db8a4d7f12ef63c8d6ff4c8bed178ec31cf6cab49f8b03d50

Analysis

max time kernel
68s
max time network
76s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-02-2025 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BloxScripts.exe
Size

12.8MB
MD5

1705aca93e5b467a60a3558345306428
SHA1

7f6e72e63a22edd278c81e7a6b760856636259b7
SHA256

aeefbc3356c7f36db8a4d7f12ef63c8d6ff4c8bed178ec31cf6cab49f8b03d50
SHA512

11f1718d570aba665b8bba37a0133c3916d0a55213e70f3729bf2c51f84b70a73fa7ea77d659de546dd60995509ba35d9671099e7b30397c1f232c36ff91da97
SSDEEP

393216:vfChwrd42aSS4PDzy1Nt/3ANKBu0MCfD14o:3Iwx4KDDz0a3dCf2o

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.191:4782

Mutex

ce9247ec-b417-4093-b0d1-2caaee0d1141

Attributes

encryption_key
C2C5B6669CD8FD67ABE180D329CF60300D8F95A2
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018bbf-19.dat	family_quasar
behavioral1/memory/2828-27-0x0000000000C70000-0x0000000000F94000-memory.dmp	family_quasar
behavioral1/memory/2592-36-0x0000000000CD0000-0x0000000000FF4000-memory.dmp	family_quasar

Executes dropped EXE 14 IoCs

pid	Process
2828	Client-built.exe
2592	Client.exe
2236	BloxScript main.exe
2272	BloxScript main.exe
2960	BloxScript main.exe
3044	BloxScript main.exe
952	BloxScript main.exe
1924	BloxScript main.exe
1920	BloxScript main.exe
2208	BloxScript main.exe
3056	BloxScript main.exe
1308	BloxScript main.exe
680	BloxScript main.exe
1720	BloxScript main.exe

Loads dropped DLL 52 IoCs

pid	Process
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
2360	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
2784	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
2948	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1460	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
2632	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1276	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
2192	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1056	Process not Found
1368	Process not Found
1368	Process not Found
432	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
936	Process not Found
1368	Process not Found
1368	Process not Found
948	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
452	Process not Found

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\desktop.ini	BloxScripts.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\desktop.ini	BloxScripts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe
1536	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	Client-built.exe
Token: SeDebugPrivilege	2592	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2592	Client.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2828	1952	BloxScripts.exe	31
PID 1952 wrote to memory of 2828	1952	BloxScripts.exe	31
PID 1952 wrote to memory of 2828	1952	BloxScripts.exe	31
PID 2828 wrote to memory of 2732	2828	Client-built.exe	32
PID 2828 wrote to memory of 2732	2828	Client-built.exe	32
PID 2828 wrote to memory of 2732	2828	Client-built.exe	32
PID 2828 wrote to memory of 2592	2828	Client-built.exe	34
PID 2828 wrote to memory of 2592	2828	Client-built.exe	34
PID 2828 wrote to memory of 2592	2828	Client-built.exe	34
PID 2592 wrote to memory of 1536	2592	Client.exe	38
PID 2592 wrote to memory of 1536	2592	Client.exe	38
PID 2592 wrote to memory of 1536	2592	Client.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BloxScripts.exe
"C:\Users\Admin\AppData\Local\Temp\BloxScripts.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2732
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1536

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:2960

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:952

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe"
1⤵
- Executes dropped EXE
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
3.1MB

MD5
fef0c33b8e549660a9ff078bf6aee075

SHA1
b90c4a79806ce43e06c84e3fc5373e0b7b7707e4

SHA256
396ca8c9f6e88d59b1e85e528e4e7b7febe602b043398f3128bcdab58a21f315

SHA512
9b8660c9d292e7db2b1611070c4a57457939b3e6de637add86a4e326013b125e3e6adb66d8d671275994d6e67f88220b8ede0a3f4f58716d2ba5bc2d857fb934

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\BloxScript\BloxScript main.exe

Filesize
9.4MB

MD5
f2a6133b7f38fc49f792ae799d1b4750

SHA1
6bef46ddde325f45a0e9ff123112c96bbd47c795

SHA256
37bde6655e1272e159b9c2e3a7eee3f4e9a837c0f04240645d3991d112287f8d

SHA512
f9611bed83b4bce1841868880a42dacb6b8f7e8859be1d85b3c8d3a365a0244566cbfb12294c7b2c82b15d6c0e47095d8246a95d522c3a064a0d8511b2411254

Download Submit
memory/2592-36-0x0000000000CD0000-0x0000000000FF4000-memory.dmp

Filesize
3.1MB

Download
memory/2828-26-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2828-27-0x0000000000C70000-0x0000000000F94000-memory.dmp

Filesize
3.1MB

Download
memory/2828-30-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2828-37-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads