quasar | 7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77

General

Target

7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe
Size

1.7MB
MD5

43a865af789cffa5f7a8d07841d1a43a
SHA1

52a2b4a1112beb0201d814038c41d58ac5aae8c9
SHA256

7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77
SHA512

0228bcaa909f0b193046185c372299001b7bbd1e51a1cc55dc12934fba73d452744a1f431bc0193cf79ea39ceae0cf46f5bc6ae21eaf6e0da9b3f804db65dcdc

Score

10^/10

quasar office01 persistence spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office01

C2

174.139.46.13:4782

Mutex

QSR_MUTEX_mK2M7xovgh7rCUSa7M

Attributes

encryption_key
0icGYPYyleDgljf1p7Zu
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Store
subdirectory
Windows

Signatures

Quasar Payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dll.exe	family_quasar
behavioral1/memory/1984-60-0x00000000013D0000-0x0000000001460000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\dll.exe	family_quasar
\Users\Admin\AppData\Local\Temp\dll.exe	family_quasar
\Users\Admin\AppData\Roaming\Windows\Client.exe	family_quasar
behavioral1/memory/1304-67-0x00000000008E0000-0x0000000000970000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\Client.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 2 IoCs

Processes:

dll.exeClient.exe

pid process

1984 dll.exe
1304 Client.exe
Loads dropped DLL 2 IoCs

Processes:

7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exedll.exe

pid process

1212 7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe
1984 dll.exe

pid	process
1984	dll.exe
1304	Client.exe

pid	process
1212	7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe
1984	dll.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dll.exeClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dll.exe\""	dll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Client.exe\""	Client.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

700 schtasks.exe
1660 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dll.exeClient.exe

description pid process

Token: SeDebugPrivilege 1984 dll.exe
Token: SeDebugPrivilege 1304 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1304 Client.exe

flow	ioc
1	ip-api.com

pid	process
700	schtasks.exe
1660	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1984	dll.exe
Token: SeDebugPrivilege	1304	Client.exe

pid	process
1304	Client.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exedll.exeClient.exe

description	pid	process	target process
PID 1212 wrote to memory of 1984	1212	7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe	dll.exe
PID 1212 wrote to memory of 1984	1212	7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe	dll.exe
PID 1212 wrote to memory of 1984	1212	7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe	dll.exe
PID 1212 wrote to memory of 1984	1212	7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe	dll.exe
PID 1984 wrote to memory of 700	1984	dll.exe	schtasks.exe
PID 1984 wrote to memory of 700	1984	dll.exe	schtasks.exe
PID 1984 wrote to memory of 700	1984	dll.exe	schtasks.exe
PID 1984 wrote to memory of 700	1984	dll.exe	schtasks.exe
PID 1984 wrote to memory of 1304	1984	dll.exe	Client.exe
PID 1984 wrote to memory of 1304	1984	dll.exe	Client.exe
PID 1984 wrote to memory of 1304	1984	dll.exe	Client.exe
PID 1984 wrote to memory of 1304	1984	dll.exe	Client.exe
PID 1304 wrote to memory of 1660	1304	Client.exe	schtasks.exe
PID 1304 wrote to memory of 1660	1304	Client.exe	schtasks.exe
PID 1304 wrote to memory of 1660	1304	Client.exe	schtasks.exe
PID 1304 wrote to memory of 1660	1304	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe
"C:\Users\Admin\AppData\Local\Temp\7e9db09b8c7641ed850b00bf1e5a26b3f57955027c61051b5807b26922090e77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\dll.exe
"C:\Users\Admin\AppData\Local\Temp\dll.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Store" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dll.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:700

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft Store" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.exe
Filesize
548KB

MD5
55a9c9861d5058eeffa6a7e8f80da7f4

SHA1
c18171180b61081a6087bf544c5150a26894896c

SHA256
7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

SHA512
e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe
Filesize
548KB

MD5
55a9c9861d5058eeffa6a7e8f80da7f4

SHA1
c18171180b61081a6087bf544c5150a26894896c

SHA256
7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

SHA512
e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Client.exe
Filesize
548KB

MD5
55a9c9861d5058eeffa6a7e8f80da7f4

SHA1
c18171180b61081a6087bf544c5150a26894896c

SHA256
7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

SHA512
e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Client.exe
Filesize
548KB

MD5
55a9c9861d5058eeffa6a7e8f80da7f4

SHA1
c18171180b61081a6087bf544c5150a26894896c

SHA256
7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

SHA512
e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

Download Submit
\Users\Admin\AppData\Local\Temp\dll.exe
Filesize
548KB

MD5
55a9c9861d5058eeffa6a7e8f80da7f4

SHA1
c18171180b61081a6087bf544c5150a26894896c

SHA256
7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

SHA512
e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

Download Submit
\Users\Admin\AppData\Roaming\Windows\Client.exe
Filesize
548KB

MD5
55a9c9861d5058eeffa6a7e8f80da7f4

SHA1
c18171180b61081a6087bf544c5150a26894896c

SHA256
7d53f16a9e5e88e017ed349d718b797fbc6c18cf4b17376bb00a2bb2d6066c6d

SHA512
e8ce69aa65dda216b73bf172ab77eb56aa6b49e2117f1531a82001122a316b3454c7dd19d61a01eb480aafea5262319441997d877a11c23d36b0da8d70b3459f

Download Submit
memory/700-62-0x0000000000000000-mapping.dmp

Download
memory/1212-54-0x0000000000A00000-0x0000000000BB2000-memory.dmp

Filesize
1.7MB

Download
memory/1212-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1304-64-0x0000000000000000-mapping.dmp

Download
memory/1304-67-0x00000000008E0000-0x0000000000970000-memory.dmp

Filesize
576KB

Download
memory/1660-69-0x0000000000000000-mapping.dmp

Download
memory/1984-57-0x0000000000000000-mapping.dmp

Download
memory/1984-60-0x00000000013D0000-0x0000000001460000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads