quasar | 1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cwel.exe
Size

3.1MB
MD5

a96e646d37c712c02f2014859c2ae1b3
SHA1

9c2a5842a9b929e66d2b92be8907d79c4f35fedf
SHA256

1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8
SHA512

eeebf4d049cd72d2d0a732921df9c24deb3323c18a5ca6eaec7bdb7b509106498c6b8b1b7daa33d0aa3e4bb7acdabb9eac29a872c217b6521c7415963d71b4d6
SSDEEP

49152:Pv6I22SsaNYfdPBldt698dBcjH8UHNqRrcvJmkoGdXTHHB72eh2NT:Pv322SsaNYfdPBldt6+dBcjHjYrQ

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-52942.portmap.host:52942

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/3276-1-0x0000000000420000-0x0000000000744000-memory.dmp family_quasar
C:\Program Files\Common Files\Opera GX.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Opera GX.exe

pid process

4536 Opera GX.exe

resource	yara_rule
behavioral1/memory/3276-1-0x0000000000420000-0x0000000000744000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar

pid	process
4536	Opera GX.exe

Drops file in Program Files directory 5 IoCs

Processes:

cwel.exeOpera GX.exe

description	ioc	process
File created	C:\Program Files\common Files\Opera GX.exe	cwel.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	cwel.exe
File opened for modification	C:\Program Files\common Files	cwel.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3196 schtasks.exe
4092 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cwel.exeOpera GX.exe

description pid process

Token: SeDebugPrivilege 3276 cwel.exe
Token: SeDebugPrivilege 4536 Opera GX.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Opera GX.exe

pid process

4536 Opera GX.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Opera GX.exe

pid process

4536 Opera GX.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Opera GX.exe

pid process

4536 Opera GX.exe

pid	process
3196	schtasks.exe
4092	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3276	cwel.exe
Token: SeDebugPrivilege	4536	Opera GX.exe

pid	process
4536	Opera GX.exe

pid	process
4536	Opera GX.exe

pid	process
4536	Opera GX.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cwel.exeOpera GX.exe

description	pid	process	target process
PID 3276 wrote to memory of 3196	3276	cwel.exe	schtasks.exe
PID 3276 wrote to memory of 3196	3276	cwel.exe	schtasks.exe
PID 3276 wrote to memory of 4536	3276	cwel.exe	Opera GX.exe
PID 3276 wrote to memory of 4536	3276	cwel.exe	Opera GX.exe
PID 4536 wrote to memory of 4092	4536	Opera GX.exe	schtasks.exe
PID 4536 wrote to memory of 4092	4536	Opera GX.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cwel.exe
"C:\Users\Admin\AppData\Local\Temp\cwel.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4092

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
a96e646d37c712c02f2014859c2ae1b3

SHA1
9c2a5842a9b929e66d2b92be8907d79c4f35fedf

SHA256
1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8

SHA512
eeebf4d049cd72d2d0a732921df9c24deb3323c18a5ca6eaec7bdb7b509106498c6b8b1b7daa33d0aa3e4bb7acdabb9eac29a872c217b6521c7415963d71b4d6

Download Submit
memory/3276-0-0x00007FFDAABB3000-0x00007FFDAABB5000-memory.dmp

Filesize
8KB

Download
memory/3276-1-0x0000000000420000-0x0000000000744000-memory.dmp

Filesize
3.1MB

Download
memory/3276-2-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

Filesize
10.8MB

Download
memory/3276-10-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

Filesize
10.8MB

Download
memory/4536-9-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

Filesize
10.8MB

Download
memory/4536-11-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

Filesize
10.8MB

Download
memory/4536-12-0x000000001C2F0000-0x000000001C340000-memory.dmp

Filesize
320KB

Download
memory/4536-13-0x000000001C400000-0x000000001C4B2000-memory.dmp

Filesize
712KB

Download
memory/4536-14-0x00007FFDAABB0000-0x00007FFDAB671000-memory.dmp

Filesize
10.8MB

Download