Overview

overview

10

Static

static

10

75e5b5dd81...19.exe

windows7-x64

10

75e5b5dd81...19.exe

windows10-2004-x64

10

76055a2e7a...db.exe

windows7-x64

10

76055a2e7a...db.exe

windows10-2004-x64

10

760a200139...4c.exe

windows7-x64

10

760a200139...4c.exe

windows10-2004-x64

10

7621266dff...17.exe

windows7-x64

7

7621266dff...17.exe

windows10-2004-x64

7

763e7e3720...c3.exe

windows7-x64

10

763e7e3720...c3.exe

windows10-2004-x64

10

764342a8e4...3a.exe

windows7-x64

10

764342a8e4...3a.exe

windows10-2004-x64

10

765922fe83...ca.exe

windows7-x64

10

765922fe83...ca.exe

windows10-2004-x64

10

7666b329e0...6a.exe

windows7-x64

10

7666b329e0...6a.exe

windows10-2004-x64

10

766ad1b216...36.exe

windows7-x64

3

766ad1b216...36.exe

windows10-2004-x64

3

76b5533f09...c1.exe

windows7-x64

10

76b5533f09...c1.exe

windows10-2004-x64

10

76c8afc286...eb.exe

windows7-x64

1

76c8afc286...eb.exe

windows10-2004-x64

1

76c8d5e249...8f.exe

windows7-x64

10

76c8d5e249...8f.exe

windows10-2004-x64

10

76d2a80297...d7.exe

windows7-x64

10

76d2a80297...d7.exe

windows10-2004-x64

10

76dd2ca60d...1a.exe

windows7-x64

10

76dd2ca60d...1a.exe

windows10-2004-x64

10

76f8eeacdb...0d.exe

windows7-x64

7

76f8eeacdb...0d.exe

windows10-2004-x64

10

770f4b8c61...96.exe

windows7-x64

10

770f4b8c61...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75e5b5dd81e4e1cc6623f32b322c79ef80d65a2383afa33a45db6e9e75b8d519.exe

  • Size

    502KB

  • MD5

    8a04eeadf3aa212ad8b9ec03750598b5

  • SHA1

    8ecd4c1b9e3f52c8cfb33785b8669d0fe12a67bd

  • SHA256

    75e5b5dd81e4e1cc6623f32b322c79ef80d65a2383afa33a45db6e9e75b8d519

  • SHA512

    e804d6b2530a1239dcd0dc51921841342def20fa97d2f64029f793321fcba343d3bf703fbf7c4e167233c219724364e1e6ca4266f806f5194cfda927f46d8dff

  • SSDEEP

    6144:xTEgdc0YrXAGbgiIN2RSBKnaJm5xGDy5Etqk+yw4sUcEOOb8F9Z2U/iBWcTR3y:xTEgdfYbbgyaJpj4xywyepTcBWcdy

Score
10/10
quasaroffice365spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

office365

C2

192.168.0.182:4782

Mutex

247cbad3-d2c3-4911-bcea-2ba07f8a24dd

Attributes
  • encryption_key

    B23B358E069C74D3466E9FC1110706C029AADF0D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\75e5b5dd81e4e1cc6623f32b322c79ef80d65a2383afa33a45db6e9e75b8d519.exe
    "C:\Users\Admin\AppData\Local\Temp\75e5b5dd81e4e1cc6623f32b322c79ef80d65a2383afa33a45db6e9e75b8d519.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5760
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32\SubDir\Client.exe
    Filesize

    502KB

    MD5

    8a04eeadf3aa212ad8b9ec03750598b5

    SHA1

    8ecd4c1b9e3f52c8cfb33785b8669d0fe12a67bd

    SHA256

    75e5b5dd81e4e1cc6623f32b322c79ef80d65a2383afa33a45db6e9e75b8d519

    SHA512

    e804d6b2530a1239dcd0dc51921841342def20fa97d2f64029f793321fcba343d3bf703fbf7c4e167233c219724364e1e6ca4266f806f5194cfda927f46d8dff

    Download Submit

  • memory/4624-8-0x00007FFD5F410000-0x00007FFD5FED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-10-0x00007FFD5F410000-0x00007FFD5FED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-11-0x000000001C540000-0x000000001C590000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4624-12-0x000000001C650000-0x000000001C702000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4624-13-0x00007FFD5F410000-0x00007FFD5FED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5760-0-0x00007FFD5F413000-0x00007FFD5F415000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5760-1-0x0000000000B20000-0x0000000000BA4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/5760-2-0x00007FFD5F410000-0x00007FFD5FED1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5760-9-0x00007FFD5F410000-0x00007FFD5FED1000-memory.dmp

    Filesize

    10.8MB

    Download