quasar | d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38

Analysis

max time kernel
359s
max time network
359s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

288KB
MD5

612513b20674942d2bcf4d0732e0b726
SHA1

26e71467d042ccc4ade033a000a1febac73170d7
SHA256

d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38
SHA512

ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a
SSDEEP

6144:6KJuiyEnCGnhJlMP5Kq+SMv0VGb7bDcllbkUC:pzCGL69zVGkllbkp

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

Ratrat2-53904.portmap.host:53904

Mutex

KvGe0Q07bhebNCip9c

Attributes

encryption_key
urBKaVmkbLbNrQbAkgkI
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Steam
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-1-0x0000000000100000-0x000000000014E000-memory.dmp	family_quasar
\Program Files (x86)\SubDir\Client.exe	family_quasar
behavioral1/memory/2484-14-0x0000000000070000-0x00000000000BE000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeClient.exe

pid process

2484 Client.exe
2132 Client.exe
Loads dropped DLL 7 IoCs

Processes:

Client-built.exeWerFault.execmd.exe

pid process

2008 Client-built.exe
2112 WerFault.exe
2112 WerFault.exe
2112 WerFault.exe
2112 WerFault.exe
2112 WerFault.exe
1860 cmd.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
6 api.ipify.org
7 ip-api.com
9 api.ipify.org

pid	process
2484	Client.exe
2132	Client.exe

pid	process
2008	Client-built.exe
2112	WerFault.exe
2112	WerFault.exe
2112	WerFault.exe
2112	WerFault.exe
2112	WerFault.exe
1860	cmd.exe

flow	ioc
2	ip-api.com
6	api.ipify.org
7	ip-api.com
9	api.ipify.org

Drops file in Program Files directory 4 IoCs

Processes:

Client.exeClient-built.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SubDir	Client.exe
File created	C:\Program Files (x86)\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Program Files (x86)\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2112 2484 WerFault.exe Client.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

316 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2792 schtasks.exe
1528 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exeClient.exe

description pid process

Token: SeDebugPrivilege 2008 Client-built.exe
Token: SeDebugPrivilege 2484 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2484 Client.exe

pid	pid_target	process	target process
2112	2484	WerFault.exe	Client.exe

pid	process
316	PING.EXE

pid	process
2792	schtasks.exe
1528	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2008	Client-built.exe
Token: SeDebugPrivilege	2484	Client.exe

pid	process
2484	Client.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Client-built.exeClient.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 2792	2008	Client-built.exe	schtasks.exe
PID 2008 wrote to memory of 2792	2008	Client-built.exe	schtasks.exe
PID 2008 wrote to memory of 2792	2008	Client-built.exe	schtasks.exe
PID 2008 wrote to memory of 2792	2008	Client-built.exe	schtasks.exe
PID 2008 wrote to memory of 2484	2008	Client-built.exe	Client.exe
PID 2008 wrote to memory of 2484	2008	Client-built.exe	Client.exe
PID 2008 wrote to memory of 2484	2008	Client-built.exe	Client.exe
PID 2008 wrote to memory of 2484	2008	Client-built.exe	Client.exe
PID 2484 wrote to memory of 1528	2484	Client.exe	schtasks.exe
PID 2484 wrote to memory of 1528	2484	Client.exe	schtasks.exe
PID 2484 wrote to memory of 1528	2484	Client.exe	schtasks.exe
PID 2484 wrote to memory of 1528	2484	Client.exe	schtasks.exe
PID 2484 wrote to memory of 1860	2484	Client.exe	cmd.exe
PID 2484 wrote to memory of 1860	2484	Client.exe	cmd.exe
PID 2484 wrote to memory of 1860	2484	Client.exe	cmd.exe
PID 2484 wrote to memory of 1860	2484	Client.exe	cmd.exe
PID 2484 wrote to memory of 2112	2484	Client.exe	WerFault.exe
PID 2484 wrote to memory of 2112	2484	Client.exe	WerFault.exe
PID 2484 wrote to memory of 2112	2484	Client.exe	WerFault.exe
PID 2484 wrote to memory of 2112	2484	Client.exe	WerFault.exe
PID 1860 wrote to memory of 1676	1860	cmd.exe	chcp.com
PID 1860 wrote to memory of 1676	1860	cmd.exe	chcp.com
PID 1860 wrote to memory of 1676	1860	cmd.exe	chcp.com
PID 1860 wrote to memory of 1676	1860	cmd.exe	chcp.com
PID 1860 wrote to memory of 316	1860	cmd.exe	PING.EXE
PID 1860 wrote to memory of 316	1860	cmd.exe	PING.EXE
PID 1860 wrote to memory of 316	1860	cmd.exe	PING.EXE
PID 1860 wrote to memory of 316	1860	cmd.exe	PING.EXE
PID 1860 wrote to memory of 2132	1860	cmd.exe	Client.exe
PID 1860 wrote to memory of 2132	1860	cmd.exe	Client.exe
PID 1860 wrote to memory of 2132	1860	cmd.exe	Client.exe
PID 1860 wrote to memory of 2132	1860	cmd.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\phpnOs7WwoZV.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1676

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:316

C:\Program Files (x86)\SubDir\Client.exe
"C:\Program Files (x86)\SubDir\Client.exe"
4⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1412
3⤵
- Loads dropped DLL
- Program crash
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\phpnOs7WwoZV.bat
Filesize
199B

MD5
37492236864cab5cb1446d405ff5665b

SHA1
f36b6db713473008af2b8fea94a777512beb2b54

SHA256
dc06a69c7373eeb0060765c0f8fddaecf246256ee2b1f904df39209355264f8c

SHA512
74780b7dfa37dedb573d055c6c4a2aadefec08f22ba88453678a5901a3f745975299070474a8ffc671679ed14d3214bc0bb950fb79f0a2816a11879e3bc349d4

Download Submit
\Program Files (x86)\SubDir\Client.exe
Filesize
288KB

MD5
612513b20674942d2bcf4d0732e0b726

SHA1
26e71467d042ccc4ade033a000a1febac73170d7

SHA256
d0b01d8716df6a5635967566bf4f89daba958ae5689561e956d33f644be14d38

SHA512
ce278631bb21322df5daf5a7b1a8296c2030a1708ec4367e444f9c65138b6f345e79d45138ec24f616b9da94150e82ad4ec3bbcee4282501c7eee568cc50ed8a

Download Submit
memory/2008-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2008-1-0x0000000000100000-0x000000000014E000-memory.dmp

Filesize
312KB

Download
memory/2008-2-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-3-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2008-4-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-13-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-12-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-14-0x0000000000070000-0x00000000000BE000-memory.dmp

Filesize
312KB

Download
memory/2484-15-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-16-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download