quasar | 4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98

Resubmissions

17-06-2021 13:06

14-06-2021 16:02

Target

DOCUMENT.EXE
Size

1.1MB
MD5

53964b6a40bfe2b10d36ba5e3d52966a
SHA1

b459111cfb08fb42238e8421583cea226226e769
SHA256

4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98
SHA512

03847f73a33a43bf84666db4a70167506d17b567f404098fd5237b704d30d1b35d7d50d2812a1f5c1b735bf13b915a448e3be9f8af9c3cc253f8ae6eacc3fea8

Score

10^/10

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1384-65-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1384-66-0x000000000045819E-mapping.dmp	family_quasar
behavioral1/memory/1384-67-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCUMENT.EXE

description pid process target process

PID 840 set thread context of 1384 840 DOCUMENT.EXE DOCUMENT.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DOCUMENT.EXE

pid process

840 DOCUMENT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DOCUMENT.EXEDOCUMENT.EXE

description pid process

Token: SeDebugPrivilege 840 DOCUMENT.EXE
Token: SeDebugPrivilege 1384 DOCUMENT.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DOCUMENT.EXE

pid process

1384 DOCUMENT.EXE

flow	ioc
4	ip-api.com

description	pid	process	target process
PID 840 set thread context of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE

pid	process
840	DOCUMENT.EXE

description	pid	process
Token: SeDebugPrivilege	840	DOCUMENT.EXE
Token: SeDebugPrivilege	1384	DOCUMENT.EXE

pid	process
1384	DOCUMENT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DOCUMENT.EXE

description	pid	process	target process
PID 840 wrote to memory of 572	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 572	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 572	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 572	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE
PID 840 wrote to memory of 1384	840	DOCUMENT.EXE	DOCUMENT.EXE

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
  2⤵
  PID:572
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1384

memory/840-59-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/840-61-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/840-62-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/840-63-0x00000000050C0000-0x000000000516D000-memory.dmp

Filesize
692KB

Download
memory/840-64-0x0000000001340000-0x00000000013BA000-memory.dmp

Filesize
488KB

Download
memory/1384-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1384-66-0x000000000045819E-mapping.dmp

Download
memory/1384-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1384-69-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download