quasar | 1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

Analysis

max time kernel
1071s
max time network
1170s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

512.exe
Size

3.1MB
MD5

317a46786b73fccfafa5b5678c1a21a1
SHA1

e72c0001fb47a477514f5abdb348ae489de65f72
SHA256

1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
SHA512

237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
SSDEEP

49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/4724-1-0x00000000008B0000-0x0000000000BD4000-memory.dmp family_quasar
C:\Program Files\Common Files\Opera GX.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Opera GX.exe

pid process

3744 Opera GX.exe

resource	yara_rule
behavioral1/memory/4724-1-0x00000000008B0000-0x0000000000BD4000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar

pid	process
3744	Opera GX.exe

Drops file in Program Files directory 5 IoCs

Processes:

512.exeOpera GX.exe

description	ioc	process
File created	C:\Program Files\common Files\Opera GX.exe	512.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	512.exe
File opened for modification	C:\Program Files\common Files	512.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1296 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3264 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3624 schtasks.exe
3448 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

512.exeOpera GX.exe

description pid process

Token: SeDebugPrivilege 4724 512.exe
Token: SeDebugPrivilege 3744 Opera GX.exe
Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Opera GX.exe

pid process

3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Opera GX.exe

pid process

3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
3744 Opera GX.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Opera GX.exe

pid process

3744 Opera GX.exe

pid	process
1296	ipconfig.exe

pid	process
3264	PING.EXE

pid	process
3624	schtasks.exe
3448	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4724	512.exe
Token: SeDebugPrivilege	3744	Opera GX.exe

pid	process
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe

pid	process
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe
3744	Opera GX.exe

pid	process
3744	Opera GX.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

512.exeOpera GX.execmd.execmd.exe

description	pid	process	target process
PID 4724 wrote to memory of 3624	4724	512.exe	schtasks.exe
PID 4724 wrote to memory of 3624	4724	512.exe	schtasks.exe
PID 4724 wrote to memory of 3744	4724	512.exe	Opera GX.exe
PID 4724 wrote to memory of 3744	4724	512.exe	Opera GX.exe
PID 3744 wrote to memory of 3448	3744	Opera GX.exe	schtasks.exe
PID 3744 wrote to memory of 3448	3744	Opera GX.exe	schtasks.exe
PID 3744 wrote to memory of 2900	3744	Opera GX.exe	cmd.exe
PID 3744 wrote to memory of 2900	3744	Opera GX.exe	cmd.exe
PID 2900 wrote to memory of 3712	2900	cmd.exe	chcp.com
PID 2900 wrote to memory of 3712	2900	cmd.exe	chcp.com
PID 2900 wrote to memory of 1296	2900	cmd.exe	ipconfig.exe
PID 2900 wrote to memory of 1296	2900	cmd.exe	ipconfig.exe
PID 3744 wrote to memory of 2500	3744	Opera GX.exe	schtasks.exe
PID 3744 wrote to memory of 2500	3744	Opera GX.exe	schtasks.exe
PID 3744 wrote to memory of 2924	3744	Opera GX.exe	cmd.exe
PID 3744 wrote to memory of 2924	3744	Opera GX.exe	cmd.exe
PID 2924 wrote to memory of 3872	2924	cmd.exe	chcp.com
PID 2924 wrote to memory of 3872	2924	cmd.exe	chcp.com
PID 2924 wrote to memory of 3264	2924	cmd.exe	PING.EXE
PID 2924 wrote to memory of 3264	2924	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\512.exe
"C:\Users\Admin\AppData\Local\Temp\512.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\SYSTEM32\cmd.exe
"cmd" /K CHCP 437
3⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\chcp.com
CHCP 437
4⤵
PID:3712

C:\Windows\system32\ipconfig.exe
ipconfig
4⤵
- Gathers network information
PID:1296

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "OperaVPN" /f
3⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tVwe2zFAeSwh.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3872

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
317a46786b73fccfafa5b5678c1a21a1

SHA1
e72c0001fb47a477514f5abdb348ae489de65f72

SHA256
1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

SHA512
237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tVwe2zFAeSwh.bat
Filesize
205B

MD5
ac667bea46da2000aad75e57054c72da

SHA1
c86d621ebb74d8adb6fbb41b49de3922d4c47716

SHA256
c0922c352dd8cb81c8369a7fbe27c619c5afb616c4beea7bcc20d11a9b783297

SHA512
e800f46a762ee4d227a8b8241adfd392df4b33c31e5174055be54fd965f42f2eb7b3bad1875a5a3c8ce76b2f430ee679ac8560e685277db687f5e8a3237a1daf

Download Submit
memory/3744-11-0x00007FF837590000-0x00007FF838052000-memory.dmp

Filesize
10.8MB

Download
memory/3744-9-0x00007FF837590000-0x00007FF838052000-memory.dmp

Filesize
10.8MB

Download
memory/3744-12-0x000000001C310000-0x000000001C360000-memory.dmp

Filesize
320KB

Download
memory/3744-13-0x000000001C420000-0x000000001C4D2000-memory.dmp

Filesize
712KB

Download
memory/3744-16-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

Filesize
72KB

Download
memory/3744-17-0x000000001CF30000-0x000000001CF6C000-memory.dmp

Filesize
240KB

Download
memory/3744-18-0x00007FF837590000-0x00007FF838052000-memory.dmp

Filesize
10.8MB

Download
memory/3744-19-0x000000001D7A0000-0x000000001DCC8000-memory.dmp

Filesize
5.2MB

Download
memory/3744-33-0x00007FF837590000-0x00007FF838052000-memory.dmp

Filesize
10.8MB

Download
memory/4724-2-0x00007FF837590000-0x00007FF838052000-memory.dmp

Filesize
10.8MB

Download
memory/4724-10-0x00007FF837590000-0x00007FF838052000-memory.dmp

Filesize
10.8MB

Download
memory/4724-0-0x00007FF837593000-0x00007FF837595000-memory.dmp

Filesize
8KB

Download
memory/4724-1-0x00000000008B0000-0x0000000000BD4000-memory.dmp

Filesize
3.1MB

Download