quasar | c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797

Analysis

max time kernel
5s
max time network
5s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-06-2024 13:14

Target

c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe
Size

348KB
MD5

11767ecb9deb6b80bf781e6f47b859d5
SHA1

7eabf94ea15bef9d48100159ff54e5117d7ead77
SHA256

c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797
SHA512

849f033d3d6a4a9969ccfee4a468a48c7c894326a8f0d6e3d64ecc00d6f92593af10da01319ef3b8ffd5fd34070735d1b8877a7b1fa9e7845c1b661edf16ddfd
SSDEEP

6144:PyUhIvTCqL/0+Ad3zEGMcQbzGD5VeKyvh1UGoAhQqwO:qNTCKxANEKemqsGoAqqwO

Score

10^/10

Family

quasar

Version

1.3.0.0

Botnet

Office04

127.0.0.1:4782

Mutex

QSR_MUTEX_Qfx1LgLjDrqR2O9eT4

Attributes

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/4228-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4840 Client.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3752 schtasks.exe
4064 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exeClient.exe

description pid process

Token: SeDebugPrivilege 4228 c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe
Token: SeDebugPrivilege 4840 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4840 Client.exe

resource	yara_rule
behavioral1/memory/4228-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

pid	process
4840	Client.exe

flow	ioc
1	ip-api.com

pid	process
3752	schtasks.exe
4064	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4228	c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe
Token: SeDebugPrivilege	4840	Client.exe

pid	process
4840	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exeClient.exe

description	pid	process	target process
PID 4228 wrote to memory of 3752	4228	c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe	schtasks.exe
PID 4228 wrote to memory of 3752	4228	c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe	schtasks.exe
PID 4228 wrote to memory of 3752	4228	c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe	schtasks.exe
PID 4228 wrote to memory of 4840	4228	c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe	Client.exe
PID 4228 wrote to memory of 4840	4228	c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe	Client.exe
PID 4228 wrote to memory of 4840	4228	c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe	Client.exe
PID 4840 wrote to memory of 4064	4840	Client.exe	schtasks.exe
PID 4840 wrote to memory of 4064	4840	Client.exe	schtasks.exe
PID 4840 wrote to memory of 4064	4840	Client.exe	schtasks.exe

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "winlogon.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "winlogon.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
348KB

MD5
11767ecb9deb6b80bf781e6f47b859d5

SHA1
7eabf94ea15bef9d48100159ff54e5117d7ead77

SHA256
c0cd9c51c4fc4f7805d5d2e5e08e3701c2214ab9ee25a239b2ab3c7af0c8e797

SHA512
849f033d3d6a4a9969ccfee4a468a48c7c894326a8f0d6e3d64ecc00d6f92593af10da01319ef3b8ffd5fd34070735d1b8877a7b1fa9e7845c1b661edf16ddfd

Download Submit
memory/4228-6-0x0000000006250000-0x0000000006262000-memory.dmp

Filesize
72KB

Download
memory/4228-2-0x0000000005AF0000-0x0000000005FEE000-memory.dmp

Filesize
5.0MB

Download
memory/4228-3-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4228-4-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4228-5-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/4228-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/4228-7-0x0000000006640000-0x000000000667E000-memory.dmp

Filesize
248KB

Download
memory/4228-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp

Filesize
376KB

Download
memory/4228-15-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4840-14-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4840-16-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4840-18-0x00000000060C0000-0x00000000060CA000-memory.dmp

Filesize
40KB

Download