quasar | cbac5d6488d2b1655aff14f498060b3a0f752bc26291a34c39ff76da2866de9a

Analysis

max time kernel
599s
max time network
600s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sp0ofer.exe
Size

3.1MB
MD5

c5dc60ebad720c8a08e21c08db1d2dfa
SHA1

268f1aace8a48248d58de344bd1dfd2eb5e2c2a8
SHA256

cbac5d6488d2b1655aff14f498060b3a0f752bc26291a34c39ff76da2866de9a
SHA512

9930d8208b8bba24bd0d70d9491a302c8efefea5ff195711eee0f725f39b83070e624474de990cd0dc14c80ba0bd27a343cfc31fcee4104e49a76e637cd829f7
SSDEEP

49152:DvulL26AaNeWgPhlmVqvMQ7XSKPPxNESEfk/ioLoGdfxTHHB72eh2NT:DveL26AaNeWgPhlmVqkQ7XSKHxCG

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-53072.portmap.host:53072

Mutex

6dc28d35-3024-44a7-a559-f9991015fa39

Attributes

encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
install_name
Client.exe
log_directory
Logs
reconnect_delay
799
startup_key
Quasar Client Startup
subdirectory
Common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2436-1-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
C:\Program Files\Common Files\Client.exe	family_quasar
behavioral1/memory/2508-9-0x00000000012C0000-0x00000000015E4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2508 Client.exe

pid	process
2508	Client.exe

Drops file in Program Files directory 5 IoCs

Processes:

sp0ofer.exeClient.exe

description	ioc	process
File created	C:\Program Files\Common Files\Client.exe	sp0ofer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	sp0ofer.exe
File opened for modification	C:\Program Files\Common Files	sp0ofer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2944 schtasks.exe
2072 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sp0ofer.exeClient.exe

description pid process

Token: SeDebugPrivilege 2436 sp0ofer.exe
Token: SeDebugPrivilege 2508 Client.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Client.exe

pid process

2508 Client.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client.exe

pid process

2508 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2508 Client.exe

pid	process
2944	schtasks.exe
2072	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2436	sp0ofer.exe
Token: SeDebugPrivilege	2508	Client.exe

pid	process
2508	Client.exe

pid	process
2508	Client.exe

pid	process
2508	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

sp0ofer.exeClient.exe

description	pid	process	target process
PID 2436 wrote to memory of 2944	2436	sp0ofer.exe	schtasks.exe
PID 2436 wrote to memory of 2944	2436	sp0ofer.exe	schtasks.exe
PID 2436 wrote to memory of 2944	2436	sp0ofer.exe	schtasks.exe
PID 2436 wrote to memory of 2508	2436	sp0ofer.exe	Client.exe
PID 2436 wrote to memory of 2508	2436	sp0ofer.exe	Client.exe
PID 2436 wrote to memory of 2508	2436	sp0ofer.exe	Client.exe
PID 2508 wrote to memory of 2072	2508	Client.exe	schtasks.exe
PID 2508 wrote to memory of 2072	2508	Client.exe	schtasks.exe
PID 2508 wrote to memory of 2072	2508	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sp0ofer.exe
"C:\Users\Admin\AppData\Local\Temp\sp0ofer.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2072

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Client.exe
Filesize
3.1MB

MD5
c5dc60ebad720c8a08e21c08db1d2dfa

SHA1
268f1aace8a48248d58de344bd1dfd2eb5e2c2a8

SHA256
cbac5d6488d2b1655aff14f498060b3a0f752bc26291a34c39ff76da2866de9a

SHA512
9930d8208b8bba24bd0d70d9491a302c8efefea5ff195711eee0f725f39b83070e624474de990cd0dc14c80ba0bd27a343cfc31fcee4104e49a76e637cd829f7

Download Submit
memory/2436-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download
memory/2436-2-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-10-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-8-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-9-0x00000000012C0000-0x00000000015E4000-memory.dmp

Filesize
3.1MB

Download
memory/2508-11-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-12-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-13-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download