quasar | 1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

Analysis

max time kernel
451s
max time network
526s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

512.exe
Size

3.1MB
MD5

317a46786b73fccfafa5b5678c1a21a1
SHA1

e72c0001fb47a477514f5abdb348ae489de65f72
SHA256

1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
SHA512

237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
SSDEEP

49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/668-1-0x0000000000230000-0x0000000000554000-memory.dmp family_quasar
C:\Program Files\Common Files\Opera GX.exe family_quasar
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Opera GX.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Opera GX.exe
Executes dropped EXE 1 IoCs

Processes:

Opera GX.exe

pid process

4484 Opera GX.exe

resource	yara_rule
behavioral1/memory/668-1-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Opera GX.exe

pid	process
4484	Opera GX.exe

Drops file in Program Files directory 5 IoCs

Processes:

512.exeOpera GX.exe

description	ioc	process
File opened for modification	C:\Program Files\common Files\Opera GX.exe	512.exe
File opened for modification	C:\Program Files\common Files	512.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File created	C:\Program Files\common Files\Opera GX.exe	512.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3452 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

792 schtasks.exe
2888 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

512.exeOpera GX.exe

description pid process

Token: SeDebugPrivilege 668 512.exe
Token: SeDebugPrivilege 4484 Opera GX.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Opera GX.exe

pid process

4484 Opera GX.exe
4484 Opera GX.exe
4484 Opera GX.exe
4484 Opera GX.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Opera GX.exe

pid process

4484 Opera GX.exe
4484 Opera GX.exe
4484 Opera GX.exe
4484 Opera GX.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Opera GX.exe

pid process

4484 Opera GX.exe

pid	process
3452	PING.EXE

pid	process
792	schtasks.exe
2888	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	668	512.exe
Token: SeDebugPrivilege	4484	Opera GX.exe

pid	process
4484	Opera GX.exe
4484	Opera GX.exe
4484	Opera GX.exe
4484	Opera GX.exe

pid	process
4484	Opera GX.exe
4484	Opera GX.exe
4484	Opera GX.exe
4484	Opera GX.exe

pid	process
4484	Opera GX.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

512.exeOpera GX.execmd.exe

description	pid	process	target process
PID 668 wrote to memory of 2888	668	512.exe	schtasks.exe
PID 668 wrote to memory of 2888	668	512.exe	schtasks.exe
PID 668 wrote to memory of 4484	668	512.exe	Opera GX.exe
PID 668 wrote to memory of 4484	668	512.exe	Opera GX.exe
PID 4484 wrote to memory of 792	4484	Opera GX.exe	schtasks.exe
PID 4484 wrote to memory of 792	4484	Opera GX.exe	schtasks.exe
PID 4484 wrote to memory of 2968	4484	Opera GX.exe	schtasks.exe
PID 4484 wrote to memory of 2968	4484	Opera GX.exe	schtasks.exe
PID 4484 wrote to memory of 5084	4484	Opera GX.exe	cmd.exe
PID 4484 wrote to memory of 5084	4484	Opera GX.exe	cmd.exe
PID 5084 wrote to memory of 5056	5084	cmd.exe	chcp.com
PID 5084 wrote to memory of 5056	5084	cmd.exe	chcp.com
PID 5084 wrote to memory of 3452	5084	cmd.exe	PING.EXE
PID 5084 wrote to memory of 3452	5084	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\512.exe
"C:\Users\Admin\AppData\Local\Temp\512.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "OperaVPN" /f
3⤵
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9zIfO7mjNnMb.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:5056

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3452

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
317a46786b73fccfafa5b5678c1a21a1

SHA1
e72c0001fb47a477514f5abdb348ae489de65f72

SHA256
1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

SHA512
237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9zIfO7mjNnMb.bat
Filesize
205B

MD5
e564aadbb88c270eefaa2a024c339c6e

SHA1
41c2644cff47f5114220e10ddd223729b6beae06

SHA256
d91a4c88097874d711b5206e4049ae746359e9e54fe0213dbc8275bd97029178

SHA512
65ce7f9016e297ffeecb4dae6c03a7c4d03c58c410c5a8cc2dde0462382383bd9f5a8de98a27e7fc46c487c43eadcab3d9506f1327a136ed71be71f20c5a14ba

Download Submit
memory/668-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp

Filesize
8KB

Download
memory/668-1-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/668-2-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/668-9-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/4484-11-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/4484-12-0x000000001C530000-0x000000001C580000-memory.dmp

Filesize
320KB

Download
memory/4484-13-0x000000001C640000-0x000000001C6F2000-memory.dmp

Filesize
712KB

Download
memory/4484-16-0x000000001C5C0000-0x000000001C5D2000-memory.dmp

Filesize
72KB

Download
memory/4484-17-0x000000001D140000-0x000000001D17C000-memory.dmp

Filesize
240KB

Download
memory/4484-18-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/4484-24-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download
memory/4484-10-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Filesize
10.8MB

Download