quasar | 5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6

General

Target

5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
Size

1.3MB
MD5

289b643e1a46d2b8de76323db780b6cf
SHA1

ef7ff8a8a634319e57043a35a9c3a9aa062f8a93
SHA256

5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6
SHA512

6353d2a666d5b99d9e6e22cbe9fafb4a0640ade812c3c613bde47ceea612eefc5ef835051b88163edad7a8a49b861ee8847f5a663a9b1049b5578293ccb74a04

Score

10^/10

quasar revengerat office spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

46.249.59.99:111

Mutex

mz2wiNFAWq1HjJ2fUn

Attributes

encryption_key
8DIs0SbdWcImnvHm2I9I
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1528-137-0x0000000000000000-mapping.dmp	family_quasar
behavioral2/memory/1528-138-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aa1.url powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2644 set thread context of 1528 2644 powershell.exe RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aa1.url	powershell.exe

flow	ioc
10	ip-api.com

description	pid	process	target process
PID 2644 set thread context of 1528	2644	powershell.exe	RegAsm.exe

NTFS ADS 1 IoCs

Processes:

5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\default:StdRegProv	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2644 powershell.exe
2644 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2644 powershell.exe
Token: SeDebugPrivilege 1528 RegAsm.exe

pid	process
2644	powershell.exe
2644	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1528	RegAsm.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe

pid	process
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe

pid	process
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exepowershell.exe

description	pid	process	target process
PID 3560 wrote to memory of 2644	3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe	powershell.exe
PID 3560 wrote to memory of 2644	3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe	powershell.exe
PID 3560 wrote to memory of 2644	3560	5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe	powershell.exe
PID 2644 wrote to memory of 1492	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1492	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1492	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 4152	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 4152	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 4152	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe
PID 2644 wrote to memory of 1528	2644	powershell.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
"C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe"
1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Threading.Thread]::GetDomain().Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\yVP').GetValue('GJW'));[Rkb]::eEyo('C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe', 'QTEO', '5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe')
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-137-0x0000000000000000-mapping.dmp

Download
memory/1528-143-0x0000000006670000-0x000000000667A000-memory.dmp

Filesize
40KB

Download
memory/1528-142-0x00000000064B0000-0x00000000064EC000-memory.dmp

Filesize
240KB

Download
memory/1528-141-0x0000000006090000-0x00000000060A2000-memory.dmp

Filesize
72KB

Download
memory/1528-140-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/1528-139-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/1528-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-133-0x0000000005100000-0x0000000005122000-memory.dmp

Filesize
136KB

Download
memory/2644-136-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/2644-135-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/2644-134-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/2644-130-0x0000000000000000-mapping.dmp

Download
memory/2644-132-0x00000000051F0000-0x0000000005818000-memory.dmp

Filesize
6.2MB

Download
memory/2644-131-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads