quasar | e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630

Resubmissions

27-06-2024 14:00

240627-ra8xaavara 10

27-06-2024 13:31

240627-qswh8stdlh 10

Analysis

max time kernel
21s
max time network
22s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

9.8MB
MD5

bb57e95ad7ac1da6307c62d2e75a7e6d
SHA1

403145af8d0e5260ff0bb9eacac51e9a667214e2
SHA256

e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630
SHA512

12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8
SSDEEP

196608:jNZYch2QFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:Di/Fqyf0gsfNRAK

Score

10^/10

quasar office04 spyware trojan upx

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes

encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2684-1-0x0000000001200000-0x0000000001BE0000-memory.dmp	family_quasar
\Users\Admin\AppData\Local\Temp\svchost.exe	family_quasar
behavioral1/memory/2976-14-0x0000000000F80000-0x00000000012A4000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

Processes:

svchost.exeexplorer.exeexplorer.exe

pid process

2976 svchost.exe
2504 explorer.exe
2984 explorer.exe
Loads dropped DLL 10 IoCs

Processes:

Loader.exeexplorer.exeexplorer.exe

pid process

2684 Loader.exe
2684 Loader.exe
2504 explorer.exe
2984 explorer.exe
2984 explorer.exe
2984 explorer.exe
2984 explorer.exe
2984 explorer.exe
2984 explorer.exe
2984 explorer.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\_MEI25042\python310.dll upx
behavioral1/memory/2984-91-0x000007FEF2190000-0x000007FEF25FE000-memory.dmp upx
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2744 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2976 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2976 svchost.exe

pid	process
2976	svchost.exe
2504	explorer.exe
2984	explorer.exe

pid	process
2684	Loader.exe
2684	Loader.exe
2504	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI25042\python310.dll	upx
behavioral1/memory/2984-91-0x000007FEF2190000-0x000007FEF25FE000-memory.dmp	upx

pid	process
2744	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2976	svchost.exe

pid	process
2976	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Loader.exeexplorer.exesvchost.exe

description	pid	process	target process
PID 2684 wrote to memory of 2976	2684	Loader.exe	svchost.exe
PID 2684 wrote to memory of 2976	2684	Loader.exe	svchost.exe
PID 2684 wrote to memory of 2976	2684	Loader.exe	svchost.exe
PID 2684 wrote to memory of 2976	2684	Loader.exe	svchost.exe
PID 2684 wrote to memory of 2504	2684	Loader.exe	explorer.exe
PID 2684 wrote to memory of 2504	2684	Loader.exe	explorer.exe
PID 2684 wrote to memory of 2504	2684	Loader.exe	explorer.exe
PID 2684 wrote to memory of 2504	2684	Loader.exe	explorer.exe
PID 2504 wrote to memory of 2984	2504	explorer.exe	explorer.exe
PID 2504 wrote to memory of 2984	2504	explorer.exe	explorer.exe
PID 2504 wrote to memory of 2984	2504	explorer.exe	explorer.exe
PID 2976 wrote to memory of 2744	2976	svchost.exe	schtasks.exe
PID 2976 wrote to memory of 2744	2976	svchost.exe	schtasks.exe
PID 2976 wrote to memory of 2744	2976	svchost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25042\api-ms-win-core-file-l1-2-0.dll
Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25042\api-ms-win-core-file-l2-1-0.dll
Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25042\api-ms-win-core-localization-l1-2-0.dll
Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25042\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25042\api-ms-win-core-timezone-l1-1-0.dll
Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25042\python310.dll
Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25042\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
6.7MB

MD5
06a23cdd552d4e9f3092a7d953de261b

SHA1
e4d1358f8b0d32583e1c8c4e54e906fabfb1e6fd

SHA256
d25376818e0c28ff398e2996427faefdb6f3b0cfbc010544afd75f8e499b30b5

SHA512
358a1f19230d8502dd6c041f8508450e1868b32c68f089bd4d3328343a9ddaf6f35eb5037462bdacba279d9cbd44d178d61aeae45dfc1acf46c747a340ac8f0b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
3.1MB

MD5
04171e6b9675549c537da1066130372d

SHA1
be7a0f301fc2affaed273b33a11a97baa55b38eb

SHA256
2a7b3ff7583d5ac1ad1a7031fd89c38199cd250eb2b37605fcb8a7650c59f1e1

SHA512
1e6b03c3c31ed5eb0dfa284bcfa5f2f80822a4a8fc37ee633147ca5571eb7f62f38225ac41390c197d4d21da92dc9e1d7d81b4664caf94c96695c7444136141d

Download Submit
memory/2684-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/2684-1-0x0000000001200000-0x0000000001BE0000-memory.dmp

Filesize
9.9MB

Download
memory/2976-14-0x0000000000F80000-0x00000000012A4000-memory.dmp

Filesize
3.1MB

Download
memory/2984-91-0x000007FEF2190000-0x000007FEF25FE000-memory.dmp

Filesize
4.4MB

Download