quasar | 1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

Analysis

max time kernel
360s
max time network
365s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

512.exe
Size

3.1MB
MD5

317a46786b73fccfafa5b5678c1a21a1
SHA1

e72c0001fb47a477514f5abdb348ae489de65f72
SHA256

1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
SHA512

237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
SSDEEP

49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2232-1-0x0000000000C30000-0x0000000000F54000-memory.dmp family_quasar
Drops file in Program Files directory 2 IoCs

Processes:

512.exe

description ioc process

File created C:\Program Files\common Files\Opera GX.exe 512.exe
File opened for modification C:\Program Files\common Files\Opera GX.exe 512.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2200 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

512.exe

description pid process

Token: SeDebugPrivilege 2232 512.exe

resource	yara_rule
behavioral1/memory/2232-1-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar

description	ioc	process
File created	C:\Program Files\common Files\Opera GX.exe	512.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	512.exe

pid	process
2200	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2232	512.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

512.exe

description	pid	process	target process
PID 2232 wrote to memory of 2200	2232	512.exe	schtasks.exe
PID 2232 wrote to memory of 2200	2232	512.exe	schtasks.exe
PID 2232 wrote to memory of 2200	2232	512.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\512.exe
"C:\Users\Admin\AppData\Local\Temp\512.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2200

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-0-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download
memory/2232-2-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-4-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download
memory/2232-5-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads