quasar | cf12af32289d5d1913e941419e809fb0d8bb24ba17adc1b6e108075acce35d1f

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c5807c538665509c9c44356cd82a785d
SHA1

e97dd1a36a23ab468a2002f2c7ebc62c1e68f240
SHA256

cf12af32289d5d1913e941419e809fb0d8bb24ba17adc1b6e108075acce35d1f
SHA512

5bfa426685a5973b09ab550dd035921251061974b1e442307fd8dd858d2796f803c9f4be22ef4e9ccd233015c45b88e9088890d351bcd3188dada33cbdd54cd7
SSDEEP

49152:uvnI22SsaNYfdPBldt698dBcjH6fPR3XoGdfjRTHHB72eh2NT:uvI22SsaNYfdPBldt6+dBcjH63Rn

Score

10^/10

quasar zzzz spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

zzzz

4.tcp.ngrok.io:16868

Mutex

116e2822-047d-4b5c-ad10-563148a1a28e

Attributes

encryption_key
C366BC97216329D1909524412E3ECB1EBC575D07
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1248-1-0x0000000000470000-0x0000000000794000-memory.dmp family_quasar
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

12 4.tcp.ngrok.io
1 4.tcp.ngrok.io
3 4.tcp.ngrok.io
7 4.tcp.ngrok.io
8 4.tcp.ngrok.io
10 4.tcp.ngrok.io
11 4.tcp.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

5000 PING.EXE
1364 PING.EXE
4156 PING.EXE
4692 PING.EXE
4780 PING.EXE
4408 PING.EXE
668 PING.EXE

resource	yara_rule
behavioral1/memory/1248-1-0x0000000000470000-0x0000000000794000-memory.dmp	family_quasar

flow	ioc
12	4.tcp.ngrok.io
1	4.tcp.ngrok.io
3	4.tcp.ngrok.io
7	4.tcp.ngrok.io
8	4.tcp.ngrok.io
10	4.tcp.ngrok.io
11	4.tcp.ngrok.io

pid	process
5000	PING.EXE
1364	PING.EXE
4156	PING.EXE
4692	PING.EXE
4780	PING.EXE
4408	PING.EXE
668	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

description	pid	process
Token: SeDebugPrivilege	1248	Client-built.exe
Token: SeDebugPrivilege	3148	Client-built.exe
Token: SeDebugPrivilege	576	Client-built.exe
Token: SeDebugPrivilege	4760	Client-built.exe
Token: SeDebugPrivilege	3036	Client-built.exe
Token: SeDebugPrivilege	4000	Client-built.exe
Token: SeDebugPrivilege	1432	Client-built.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

pid process

1248 Client-built.exe
3148 Client-built.exe
576 Client-built.exe
4760 Client-built.exe
3036 Client-built.exe
4000 Client-built.exe
1432 Client-built.exe

pid	process
1248	Client-built.exe
3148	Client-built.exe
576	Client-built.exe
4760	Client-built.exe
3036	Client-built.exe
4000	Client-built.exe
1432	Client-built.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

Client-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exe

description	pid	process	target process
PID 1248 wrote to memory of 4428	1248	Client-built.exe	cmd.exe
PID 1248 wrote to memory of 4428	1248	Client-built.exe	cmd.exe
PID 4428 wrote to memory of 2012	4428	cmd.exe	chcp.com
PID 4428 wrote to memory of 2012	4428	cmd.exe	chcp.com
PID 4428 wrote to memory of 5000	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 5000	4428	cmd.exe	PING.EXE
PID 4428 wrote to memory of 3148	4428	cmd.exe	Client-built.exe
PID 4428 wrote to memory of 3148	4428	cmd.exe	Client-built.exe
PID 3148 wrote to memory of 3396	3148	Client-built.exe	cmd.exe
PID 3148 wrote to memory of 3396	3148	Client-built.exe	cmd.exe
PID 3396 wrote to memory of 4584	3396	cmd.exe	chcp.com
PID 3396 wrote to memory of 4584	3396	cmd.exe	chcp.com
PID 3396 wrote to memory of 1364	3396	cmd.exe	PING.EXE
PID 3396 wrote to memory of 1364	3396	cmd.exe	PING.EXE
PID 3396 wrote to memory of 576	3396	cmd.exe	Client-built.exe
PID 3396 wrote to memory of 576	3396	cmd.exe	Client-built.exe
PID 576 wrote to memory of 4572	576	Client-built.exe	cmd.exe
PID 576 wrote to memory of 4572	576	Client-built.exe	cmd.exe
PID 4572 wrote to memory of 1512	4572	cmd.exe	chcp.com
PID 4572 wrote to memory of 1512	4572	cmd.exe	chcp.com
PID 4572 wrote to memory of 4156	4572	cmd.exe	PING.EXE
PID 4572 wrote to memory of 4156	4572	cmd.exe	PING.EXE
PID 4572 wrote to memory of 4760	4572	cmd.exe	Client-built.exe
PID 4572 wrote to memory of 4760	4572	cmd.exe	Client-built.exe
PID 4760 wrote to memory of 3816	4760	Client-built.exe	cmd.exe
PID 4760 wrote to memory of 3816	4760	Client-built.exe	cmd.exe
PID 3816 wrote to memory of 1708	3816	cmd.exe	chcp.com
PID 3816 wrote to memory of 1708	3816	cmd.exe	chcp.com
PID 3816 wrote to memory of 4692	3816	cmd.exe	PING.EXE
PID 3816 wrote to memory of 4692	3816	cmd.exe	PING.EXE
PID 3816 wrote to memory of 3036	3816	cmd.exe	Client-built.exe
PID 3816 wrote to memory of 3036	3816	cmd.exe	Client-built.exe
PID 3036 wrote to memory of 3296	3036	Client-built.exe	cmd.exe
PID 3036 wrote to memory of 3296	3036	Client-built.exe	cmd.exe
PID 3296 wrote to memory of 4056	3296	cmd.exe	chcp.com
PID 3296 wrote to memory of 4056	3296	cmd.exe	chcp.com
PID 3296 wrote to memory of 4780	3296	cmd.exe	PING.EXE
PID 3296 wrote to memory of 4780	3296	cmd.exe	PING.EXE
PID 3296 wrote to memory of 4000	3296	cmd.exe	Client-built.exe
PID 3296 wrote to memory of 4000	3296	cmd.exe	Client-built.exe
PID 4000 wrote to memory of 1264	4000	Client-built.exe	cmd.exe
PID 4000 wrote to memory of 1264	4000	Client-built.exe	cmd.exe
PID 1264 wrote to memory of 400	1264	cmd.exe	chcp.com
PID 1264 wrote to memory of 400	1264	cmd.exe	chcp.com
PID 1264 wrote to memory of 4408	1264	cmd.exe	PING.EXE
PID 1264 wrote to memory of 4408	1264	cmd.exe	PING.EXE
PID 1264 wrote to memory of 1432	1264	cmd.exe	Client-built.exe
PID 1264 wrote to memory of 1432	1264	cmd.exe	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\evZrUt2cYisq.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:5000

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q8PEfSuQf1V1.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:4584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1364

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oK5dt5jgicqR.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1512

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4156

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3knl0HyWMkD.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:1708

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4692

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dVUSwYo0qsFJ.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:4056

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:4780

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aM4jSNgvDE7V.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:400

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4408

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BLjiTePsDDst.bat" "
14⤵
PID:2800

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:4880

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLjiTePsDDst.bat
Filesize
209B

MD5
c772fccbaa6a74a0e574332859348518

SHA1
afb4536d75b09bf6b5f75aafb6025737c030e3cc

SHA256
807c8f3e1b9d4d2f6a8b98bb917b627c551bd24a6564d088812fcfccd306f052

SHA512
a602e83b0e66a3beda7bc60ad12f8ebec3dd6edbf87d4f0bb5207f4976f0c9814db34fc2c6a8e0de3b9c3dcbef5d439d461f3ab8a1571cc042f86fdd0754e0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\G3knl0HyWMkD.bat
Filesize
209B

MD5
e39595c67b506ecc434519d99d32a50a

SHA1
25384a98b071dc8e9c735f5a6d8301391477e389

SHA256
15fc0477722aeca77451469f3574255c2aa8ad5ebcecf104a6dab01fed0f7c62

SHA512
15eea144d0634acf25e3d74593d2a867b06c903e2a810ecd9c18d2d9ea13e35bf0e16bea0aa6079b5ad17f858c8ec0a397d35e5097f94a7e83ab42987de8c625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q8PEfSuQf1V1.bat
Filesize
209B

MD5
b19188c13b5ebefb1ccfc251fb5e48d4

SHA1
992ff0badab1e263b7d44ff4aa9c835fed493073

SHA256
5ffb761406a4f8a3a6446b850d4f2c09ceeeebc665c3b9abc10d1eb4dc1a4254

SHA512
7da0e54088c73345d171f62a8323b0eb4d35bfb942e7c20161852571ba568a61c7431ee2e504b48219c541b799fc7b086c6c15a3127a895d628c2b6e88254411

Download Submit
C:\Users\Admin\AppData\Local\Temp\aM4jSNgvDE7V.bat
Filesize
209B

MD5
480e1391cfa2466369599c1d6ff27bf6

SHA1
d9d1d45bb8c753d3092e76731b68c0f02ebd4091

SHA256
4eb1eb9ed9279dbf40be4380990f3b60a73b016e7a793d5926d9d4dc410a7e60

SHA512
68a02de36bdaec46e3a3beb6507f4f9db2f36b55a5eebc401751e993fa1dfd770d9f03b2856b4b8713f627ce9aca9e2c21181f6b2c35895ab1944a3d8015000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dVUSwYo0qsFJ.bat
Filesize
209B

MD5
25b340c805f3a1097fb751b9eeb215c5

SHA1
5b969947161bfa5300ca707e52c017eb00c24ef4

SHA256
b9aadcc4cfd99f8a0d2a83241caedd199ba7262a024fb10e20bbbd811fd9e119

SHA512
ba96ede1708a7e900819852a964a4011b37ecd7b292ec0631ce47d8cf1e9b3d51fc27ec63dbabd355738b63667665ea89df3ba9d34c5efbca7b9bc9afedf00a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\evZrUt2cYisq.bat
Filesize
209B

MD5
19f8d875f644a6d43ef64a3681414f38

SHA1
55a61fa8ca1622aa7d73729aa04e952115d38b50

SHA256
26bf226a2822c5580c8fbde333a97db5c491a328d2ebe88d54decc1d83d5a791

SHA512
90245264a4783033e3687b349bfbeaa3d3053aedbe7171183a66d9f5f32dbe3751fb2dbb80c622fa4317e781e2bb90c5f5c109ad65b27995ea975143e549614e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oK5dt5jgicqR.bat
Filesize
209B

MD5
a7f654aba9062e7bd3d9df25f7cf2d70

SHA1
78c3cb0b078dfad83a28865045cf34a351dfb64c

SHA256
d44fcfcd1892945a93de8d003d8884b6e16dd6828cc9bcca8ec20df4738f26c8

SHA512
3d73bbdab55a8b4c504290d15ae4dca230ad921df17e3db2e37e3ca0d55babc4abe51b42ac9a8a52271021dfe461e6c6f1a38c97aeb0ca8b5927d937f8c65d10

Download Submit
memory/1248-4-0x000000001B9A0000-0x000000001BA52000-memory.dmp

Filesize
712KB

Download
memory/1248-9-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/1248-1-0x0000000000470000-0x0000000000794000-memory.dmp

Filesize
3.1MB

Download
memory/1248-3-0x000000001B890000-0x000000001B8E0000-memory.dmp

Filesize
320KB

Download
memory/1248-2-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/1248-0-0x00007FF991AE3000-0x00007FF991AE5000-memory.dmp

Filesize
8KB

Download
memory/3148-16-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download
memory/3148-12-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp

Filesize
10.8MB

Download