quasar | 7c53e91f6e48aa2c0dec8a5ddd6e29c551aeb27b8a4da027036b0436b2e1a581

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2025, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Size

5.1MB
MD5

59ddcad28d941a4cd3af90a10a3833a7
SHA1

a831be3525978ff33076479ad43935fc23432927
SHA256

7c53e91f6e48aa2c0dec8a5ddd6e29c551aeb27b8a4da027036b0436b2e1a581
SHA512

0b630da6233302d6912cb36b34eba465329f6087afdd9be7ce2e232ad6910f86c90db29983c7e391232106012bb583e115e7c988ae3f326a5d85eb0187fcde63
SSDEEP

98304:4EavUEH9tOXMHer9STJsv6tWKFdu9CLDsEJncODv6k3QaW:zGtDXTJsv6tWKFdu9CLBJnP6k3Q

Score

10^/10

quasar discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Mutex

�YO,��-�zۜg��q

Attributes

encryption_key
B79C633924DB50C64E5A0FDA379FDD053E7E4574
log_directory
��ʻ�]�3�탃
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4340-2-0x00000000075B0000-0x000000000773E000-memory.dmp	family_quasar

Executes dropped EXE 10 IoCs

pid	Process
5360	S5fyTGPe.exe
2288	RuntimeBroker.exe
2364	S5fyTGPe.exe
4972	RuntimeBroker.exe
732	S5fyTGPe.exe
3808	RuntimeBroker.exe
212	S5fyTGPe.exe
528	RuntimeBroker.exe
1936	S5fyTGPe.exe
3936	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	S5fyTGPe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	S5fyTGPe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	S5fyTGPe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	S5fyTGPe.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S5fyTGPe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S5fyTGPe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S5fyTGPe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S5fyTGPe.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5360	S5fyTGPe.exe
2364	S5fyTGPe.exe
732	S5fyTGPe.exe
212	S5fyTGPe.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Token: SeDebugPrivilege	5360	S5fyTGPe.exe
Token: SeDebugPrivilege	2364	S5fyTGPe.exe
Token: SeDebugPrivilege	732	S5fyTGPe.exe
Token: SeDebugPrivilege	212	S5fyTGPe.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 5360	4760	cmd.exe	96
PID 4760 wrote to memory of 5360	4760	cmd.exe	96
PID 4760 wrote to memory of 5360	4760	cmd.exe	96
PID 4340 wrote to memory of 2288	4340	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe	97
PID 4340 wrote to memory of 2288	4340	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe	97
PID 4340 wrote to memory of 2288	4340	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe	97
PID 4816 wrote to memory of 2364	4816	cmd.exe	102
PID 4816 wrote to memory of 2364	4816	cmd.exe	102
PID 4816 wrote to memory of 2364	4816	cmd.exe	102
PID 5360 wrote to memory of 4972	5360	S5fyTGPe.exe	103
PID 5360 wrote to memory of 4972	5360	S5fyTGPe.exe	103
PID 5360 wrote to memory of 4972	5360	S5fyTGPe.exe	103
PID 5672 wrote to memory of 732	5672	cmd.exe	106
PID 5672 wrote to memory of 732	5672	cmd.exe	106
PID 5672 wrote to memory of 732	5672	cmd.exe	106
PID 2364 wrote to memory of 3808	2364	S5fyTGPe.exe	107
PID 2364 wrote to memory of 3808	2364	S5fyTGPe.exe	107
PID 2364 wrote to memory of 3808	2364	S5fyTGPe.exe	107
PID 5904 wrote to memory of 212	5904	cmd.exe	110
PID 5904 wrote to memory of 212	5904	cmd.exe	110
PID 5904 wrote to memory of 212	5904	cmd.exe	110
PID 732 wrote to memory of 528	732	S5fyTGPe.exe	111
PID 732 wrote to memory of 528	732	S5fyTGPe.exe	111
PID 732 wrote to memory of 528	732	S5fyTGPe.exe	111
PID 1228 wrote to memory of 1936	1228	cmd.exe	114
PID 1228 wrote to memory of 1936	1228	cmd.exe	114
PID 1228 wrote to memory of 1936	1228	cmd.exe	114
PID 212 wrote to memory of 3936	212	S5fyTGPe.exe	115
PID 212 wrote to memory of 3936	212	S5fyTGPe.exe	115
PID 212 wrote to memory of 3936	212	S5fyTGPe.exe	115

C:\Users\Admin\AppData\Local\Temp\2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5360
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5672
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5904
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  PID:1936

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S5fyTGPe.exe.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe

Filesize
5.1MB

MD5
59ddcad28d941a4cd3af90a10a3833a7

SHA1
a831be3525978ff33076479ad43935fc23432927

SHA256
7c53e91f6e48aa2c0dec8a5ddd6e29c551aeb27b8a4da027036b0436b2e1a581

SHA512
0b630da6233302d6912cb36b34eba465329f6087afdd9be7ce2e232ad6910f86c90db29983c7e391232106012bb583e115e7c988ae3f326a5d85eb0187fcde63

Download Submit
memory/2288-17-0x0000000004F80000-0x000000000510A000-memory.dmp

Filesize
1.5MB

Download
memory/4340-0-0x0000000004670000-0x00000000047FA000-memory.dmp

Filesize
1.5MB

Download
memory/4340-2-0x00000000075B0000-0x000000000773E000-memory.dmp

Filesize
1.6MB

Download
memory/4340-6-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/4340-7-0x0000000007740000-0x00000000077D2000-memory.dmp

Filesize
584KB

Download
memory/4340-8-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/4340-9-0x00000000073E0000-0x00000000073EA000-memory.dmp

Filesize
40KB

Download
memory/4340-15-0x0000000004670000-0x00000000047FA000-memory.dmp

Filesize
1.5MB

Download
memory/5360-16-0x0000000004520000-0x00000000046AA000-memory.dmp

Filesize
1.5MB

Download