quasar | 4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98

Resubmissions

17-06-2021 13:06

210617-e9xpw8561s 10

14-06-2021 16:02

210614-ntxhahdk2n 10

Analysis

max time kernel
130s
max time network
145s
platform
windows10_x64
resource
win10v20210410
submitted
17-06-2021 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCUMENT.EXE
Size

1.1MB
MD5

53964b6a40bfe2b10d36ba5e3d52966a
SHA1

b459111cfb08fb42238e8421583cea226226e769
SHA256

4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98
SHA512

03847f73a33a43bf84666db4a70167506d17b567f404098fd5237b704d30d1b35d7d50d2812a1f5c1b735bf13b915a448e3be9f8af9c3cc253f8ae6eacc3fea8

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

31.210.20.167:5959

Mutex

QSR_MUTEX_pigwsPWGHX1pUkN87z

Attributes

encryption_key
oPLMDVWSDoMfcmNgvJgd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1652-126-0x000000000045819E-mapping.dmp	family_quasar
behavioral2/memory/1652-125-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3908 set thread context of 1652	3908	DOCUMENT.EXE	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3908	DOCUMENT.EXE
3908	DOCUMENT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	DOCUMENT.EXE
Token: SeDebugPrivilege	1652	DOCUMENT.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1652	DOCUMENT.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 1228	3908	DOCUMENT.EXE	79
PID 3908 wrote to memory of 1228	3908	DOCUMENT.EXE	79
PID 3908 wrote to memory of 1228	3908	DOCUMENT.EXE	79
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80
PID 3908 wrote to memory of 1652	3908	DOCUMENT.EXE	80

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-135-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/1652-134-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1652-133-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1652-132-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/1652-125-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3908-119-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3908-123-0x0000000005920000-0x00000000059CD000-memory.dmp

Filesize
692KB

Download
memory/3908-124-0x0000000007E80000-0x0000000007EFA000-memory.dmp

Filesize
488KB

Download
memory/3908-122-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/3908-121-0x0000000004B30000-0x0000000004B4E000-memory.dmp

Filesize
120KB

Download
memory/3908-120-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3908-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3908-118-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3908-117-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3908-116-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download