quasar | 4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98

Resubmissions

17-06-2021 13:06

210617-e9xpw8561s 10

14-06-2021 16:02

210614-ntxhahdk2n 10

Analysis

max time kernel
130s
max time network
145s
platform
windows10_x64
resource
win10v20210410
submitted
17-06-2021 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCUMENT.EXE
Size

1.1MB
MD5

53964b6a40bfe2b10d36ba5e3d52966a
SHA1

b459111cfb08fb42238e8421583cea226226e769
SHA256

4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98
SHA512

03847f73a33a43bf84666db4a70167506d17b567f404098fd5237b704d30d1b35d7d50d2812a1f5c1b735bf13b915a448e3be9f8af9c3cc253f8ae6eacc3fea8

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

31.210.20.167:5959

Mutex

QSR_MUTEX_pigwsPWGHX1pUkN87z

Attributes

encryption_key
oPLMDVWSDoMfcmNgvJgd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1652-126-0x000000000045819E-mapping.dmp	family_quasar
behavioral2/memory/1652-125-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCUMENT.EXE

description pid process target process

PID 3908 set thread context of 1652 3908 DOCUMENT.EXE DOCUMENT.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DOCUMENT.EXE

pid process

3908 DOCUMENT.EXE
3908 DOCUMENT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DOCUMENT.EXEDOCUMENT.EXE

description pid process

Token: SeDebugPrivilege 3908 DOCUMENT.EXE
Token: SeDebugPrivilege 1652 DOCUMENT.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DOCUMENT.EXE

pid process

1652 DOCUMENT.EXE

flow	ioc
14	ip-api.com

description	pid	process	target process
PID 3908 set thread context of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE

pid	process
3908	DOCUMENT.EXE
3908	DOCUMENT.EXE

description	pid	process
Token: SeDebugPrivilege	3908	DOCUMENT.EXE
Token: SeDebugPrivilege	1652	DOCUMENT.EXE

pid	process
1652	DOCUMENT.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

DOCUMENT.EXE

description	pid	process	target process
PID 3908 wrote to memory of 1228	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1228	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1228	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	DOCUMENT.EXE

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOCUMENT.EXE.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/1652-126-0x000000000045819E-mapping.dmp

Download
memory/1652-135-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/1652-134-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1652-133-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1652-132-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/1652-125-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3908-119-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3908-123-0x0000000005920000-0x00000000059CD000-memory.dmp

Filesize
692KB

Download
memory/3908-124-0x0000000007E80000-0x0000000007EFA000-memory.dmp

Filesize
488KB

Download
memory/3908-122-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/3908-121-0x0000000004B30000-0x0000000004B4E000-memory.dmp

Filesize
120KB

Download
memory/3908-120-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3908-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3908-118-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3908-117-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3908-116-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download