quasar | aeea5611efcebc1112055000624ea27dbd3d9a05dae851732a983e7ec287b190

Analysis

max time kernel
299s
max time network
300s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

bd22cd33208d9f613123693356b06a31
SHA1

30f84ab122328cbdbb0059f233056ef3e123c59c
SHA256

aeea5611efcebc1112055000624ea27dbd3d9a05dae851732a983e7ec287b190
SHA512

134ce387dab94c55a2d85b647d1eb65000b67184cb83d5c2486d777ba7729d4c7d99f59fabe8fde7bfde588b99d3149f847fed4a96cc6e085265eea2d5f55186
SSDEEP

49152:HvulL26AaNeWgPhlmVqvMQ7XSKUVm+mzghoGdSmTHHB72eh2NT:HveL26AaNeWgPhlmVqkQ7XSKUVmy

Score

10^/10

quasar spoffer fivem spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Spoffer Fivem

pringelsy-53072.portmap.host:53072

Mutex

c70aabf1-c896-42de-8406-22e4348930d6

Attributes

encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
install_name
alg.exe
log_directory
Logs
reconnect_delay
799
startup_key
Quasar Client Startup
subdirectory
Common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1276-1-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
C:\Program Files\Common Files\alg.exe	family_quasar
behavioral1/memory/2948-9-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

alg.exe

pid process

2948 alg.exe

pid	process
2948	alg.exe

Drops file in Program Files directory 5 IoCs

Processes:

Client-built.exealg.exe

description	ioc	process
File created	C:\Program Files\Common Files\alg.exe	Client-built.exe
File opened for modification	C:\Program Files\Common Files\alg.exe	Client-built.exe
File opened for modification	C:\Program Files\Common Files	Client-built.exe
File opened for modification	C:\Program Files\Common Files\alg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2160 schtasks.exe
2684 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exealg.exe

description pid process

Token: SeDebugPrivilege 1276 Client-built.exe
Token: SeDebugPrivilege 2948 alg.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

alg.exe

pid process

2948 alg.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

alg.exe

pid process

2948 alg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

alg.exe

pid process

2948 alg.exe

pid	process
2160	schtasks.exe
2684	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1276	Client-built.exe
Token: SeDebugPrivilege	2948	alg.exe

pid	process
2948	alg.exe

pid	process
2948	alg.exe

pid	process
2948	alg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Client-built.exealg.exe

description	pid	process	target process
PID 1276 wrote to memory of 2160	1276	Client-built.exe	schtasks.exe
PID 1276 wrote to memory of 2160	1276	Client-built.exe	schtasks.exe
PID 1276 wrote to memory of 2160	1276	Client-built.exe	schtasks.exe
PID 1276 wrote to memory of 2948	1276	Client-built.exe	alg.exe
PID 1276 wrote to memory of 2948	1276	Client-built.exe	alg.exe
PID 1276 wrote to memory of 2948	1276	Client-built.exe	alg.exe
PID 2948 wrote to memory of 2684	2948	alg.exe	schtasks.exe
PID 2948 wrote to memory of 2684	2948	alg.exe	schtasks.exe
PID 2948 wrote to memory of 2684	2948	alg.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\alg.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Program Files\Common Files\alg.exe
"C:\Program Files\Common Files\alg.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\alg.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\alg.exe
Filesize
3.1MB

MD5
bd22cd33208d9f613123693356b06a31

SHA1
30f84ab122328cbdbb0059f233056ef3e123c59c

SHA256
aeea5611efcebc1112055000624ea27dbd3d9a05dae851732a983e7ec287b190

SHA512
134ce387dab94c55a2d85b647d1eb65000b67184cb83d5c2486d777ba7729d4c7d99f59fabe8fde7bfde588b99d3149f847fed4a96cc6e085265eea2d5f55186

Download Submit
memory/1276-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/1276-1-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/1276-2-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/1276-8-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-10-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-9-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2948-11-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-12-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-13-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download