quasar | 4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98

Resubmissions

17-06-2021 13:06

210617-e9xpw8561s 10

14-06-2021 16:02

210614-ntxhahdk2n 10

Analysis

max time kernel
133s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
17-06-2021 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCUMENT.EXE
Size

1.1MB
MD5

53964b6a40bfe2b10d36ba5e3d52966a
SHA1

b459111cfb08fb42238e8421583cea226226e769
SHA256

4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98
SHA512

03847f73a33a43bf84666db4a70167506d17b567f404098fd5237b704d30d1b35d7d50d2812a1f5c1b735bf13b915a448e3be9f8af9c3cc253f8ae6eacc3fea8

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

31.210.20.167:5959

Mutex

QSR_MUTEX_pigwsPWGHX1pUkN87z

Attributes

encryption_key
oPLMDVWSDoMfcmNgvJgd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/772-66-0x000000000045819E-mapping.dmp	family_quasar
behavioral1/memory/772-65-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/772-67-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCUMENT.EXE

description pid process target process

PID 2000 set thread context of 772 2000 DOCUMENT.EXE DOCUMENT.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DOCUMENT.EXE

description pid process

Token: SeDebugPrivilege 772 DOCUMENT.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DOCUMENT.EXE

pid process

772 DOCUMENT.EXE

flow	ioc
3	ip-api.com

description	pid	process	target process
PID 2000 set thread context of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE

description	pid	process
Token: SeDebugPrivilege	772	DOCUMENT.EXE

pid	process
772	DOCUMENT.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DOCUMENT.EXE

description	pid	process	target process
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE
PID 2000 wrote to memory of 772	2000	DOCUMENT.EXE	DOCUMENT.EXE

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-66-0x000000000045819E-mapping.dmp

Download
memory/772-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/772-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/772-69-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2000-59-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2000-61-0x0000000000890000-0x00000000008AE000-memory.dmp

Filesize
120KB

Download
memory/2000-62-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2000-63-0x0000000005000000-0x00000000050AD000-memory.dmp

Filesize
692KB

Download
memory/2000-64-0x0000000004F50000-0x0000000004FCA000-memory.dmp

Filesize
488KB

Download