quasar | dd31e310c502f14a8ca479ee8723dcb8ded8ce9caf6fbeaa435fc966bd1458a4

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proton.exe
Size

831KB
MD5

34e8bec2eff81b0451a68e3fc7562fb8
SHA1

91b8aa5907020bad02fcaed731f53e9e433e0f4d
SHA256

dd31e310c502f14a8ca479ee8723dcb8ded8ce9caf6fbeaa435fc966bd1458a4
SHA512

0a6d23997a9d29f40907097c28afa62162cc03369b8a8c4c84e124d131706a8dc19b62c0cc9efb2b6deccbcd72d4e034d9b893d538e5060d0cf7b43556bf4b05
SSDEEP

24576:uZsS44StKHIPbcNK0KKfaOwI55l2SLaB4/:uZsSIKEgKKHwCBe

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

fall-alberta.gl.at.ply.gg:48316

Mutex

f3374a4e-4175-4db9-a8d8-303de2184767

Attributes

encryption_key
669A421372DEF816BCFAA19491270BD72DCE71F1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Proton VPN
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2772-1-0x00000000011B0000-0x0000000001286000-memory.dmp	family_quasar
behavioral1/memory/2772-2-0x0000000000360000-0x000000000037A000-memory.dmp	family_quasar

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2772	Proton.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	Proton.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2860	2772	Proton.exe	30
PID 2772 wrote to memory of 2860	2772	Proton.exe	30
PID 2772 wrote to memory of 2860	2772	Proton.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Proton.exe
"C:\Users\Admin\AppData\Local\Temp\Proton.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-0-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x00000000011B0000-0x0000000001286000-memory.dmp

Filesize
856KB

Download
memory/2772-2-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/2772-3-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-4-0x0000000000B00000-0x0000000000B4E000-memory.dmp

Filesize
312KB

Download
memory/2772-5-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2772-6-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads