quasar | a2b88e25b1626cbfac4f4d6734becfecd655a89da195e81e26ae729200043fd8

Analysis

max time kernel
1797s
max time network
1495s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

player tracker source.exe
Size

3.1MB
MD5

79b23f9700c2cfe1180cc94dd0ed2d31
SHA1

951e79cf051fb128b667266ab1341e620b980173
SHA256

a2b88e25b1626cbfac4f4d6734becfecd655a89da195e81e26ae729200043fd8
SHA512

e819baf8ecd86d58d486ce53ebb6598c0e436220d422e14b3945c63d869bfca299c9069f18b57231c7d2788d10ad419787cfd093976a4882da8208bc9b7bffa7
SSDEEP

49152:HvDI22SsaNYfdPBldt698dBcjHkx6TBxEsoGdRTHHB72eh2NT:Hv822SsaNYfdPBldt6+dBcjHK61

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

255.255.255.0:4782

Mutex

c5c0225f-92c8-45a3-8b4e-43c9383703ba

Attributes

encryption_key
2C9AF81488324786F38644244B002DFBC04966DB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/2792-1-0x0000000000BF0000-0x0000000000F14000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3584 Client.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

player tracker source.exeClient.exe

description pid process

Token: SeDebugPrivilege 2792 player tracker source.exe
Token: SeDebugPrivilege 3584 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

3584 Client.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

player tracker source.exe

description pid process target process

PID 2792 wrote to memory of 3584 2792 player tracker source.exe Client.exe
PID 2792 wrote to memory of 3584 2792 player tracker source.exe Client.exe

resource	yara_rule
behavioral1/memory/2792-1-0x0000000000BF0000-0x0000000000F14000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

pid	process
3584	Client.exe

description	pid	process
Token: SeDebugPrivilege	2792	player tracker source.exe
Token: SeDebugPrivilege	3584	Client.exe

pid	process
3584	Client.exe

description	pid	process	target process
PID 2792 wrote to memory of 3584	2792	player tracker source.exe	Client.exe
PID 2792 wrote to memory of 3584	2792	player tracker source.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\player tracker source.exe
"C:\Users\Admin\AppData\Local\Temp\player tracker source.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
79b23f9700c2cfe1180cc94dd0ed2d31

SHA1
951e79cf051fb128b667266ab1341e620b980173

SHA256
a2b88e25b1626cbfac4f4d6734becfecd655a89da195e81e26ae729200043fd8

SHA512
e819baf8ecd86d58d486ce53ebb6598c0e436220d422e14b3945c63d869bfca299c9069f18b57231c7d2788d10ad419787cfd093976a4882da8208bc9b7bffa7

Download Submit
memory/2792-0-0x00007FFAE87E3000-0x00007FFAE87E5000-memory.dmp

Filesize
8KB

Download
memory/2792-1-0x0000000000BF0000-0x0000000000F14000-memory.dmp

Filesize
3.1MB

Download
memory/2792-2-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmp

Filesize
10.8MB

Download
memory/2792-10-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-9-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-11-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-12-0x000000001BA80000-0x000000001BAD0000-memory.dmp

Filesize
320KB

Download
memory/3584-13-0x000000001BB90000-0x000000001BC42000-memory.dmp

Filesize
712KB

Download
memory/3584-14-0x00007FFAE87E0000-0x00007FFAE92A2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads