quasar | 7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786

General

Target

7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe
Size

463KB
MD5

fe410944a04368c81eef23bc3e519888
SHA1

e374403c0fd537d5af14d421bdaa902245a03d91
SHA256

7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786
SHA512

456d52068aca2ed3dab67e247524a818f77e2eb4a45296a6fcd9939b1770e042866ea09a0d751a503f16eafdf681bb7bebeee9a60409d61549a6838f39ac801e

Score

10^/10

quasar office04 spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

107.173.219.125:1714

Mutex

NRgo8ArOed1VVkhIyd

Attributes

encryption_key
XZyY0DaQV5kpii268lOQ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1712-145-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata
Executes dropped EXE 1 IoCs

Processes:

vW0wEDKCm80ZnMdKhed.exe

pid process

1852 vW0wEDKCm80ZnMdKhed.exe

pid	process
1852	vW0wEDKCm80ZnMdKhed.exe

Drops startup file 1 IoCs

Processes:

vW0wEDKCm80ZnMdKhed.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vW0wEDKCm80ZnMdK.exe.url	vW0wEDKCm80ZnMdKhed.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
16 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

vW0wEDKCm80ZnMdKhed.exe

description pid process target process

PID 1852 set thread context of 1712 1852 vW0wEDKCm80ZnMdKhed.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vW0wEDKCm80ZnMdKhed.exe

pid process

1852 vW0wEDKCm80ZnMdKhed.exe
1852 vW0wEDKCm80ZnMdKhed.exe
1852 vW0wEDKCm80ZnMdKhed.exe
1852 vW0wEDKCm80ZnMdKhed.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vW0wEDKCm80ZnMdKhed.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1852 vW0wEDKCm80ZnMdKhed.exe
Token: SeDebugPrivilege 1712 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1712 RegAsm.exe

flow	ioc
6	ip-api.com
16	api.ipify.org

description	pid	process	target process
PID 1852 set thread context of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe

pid	process
1852	vW0wEDKCm80ZnMdKhed.exe
1852	vW0wEDKCm80ZnMdKhed.exe
1852	vW0wEDKCm80ZnMdKhed.exe
1852	vW0wEDKCm80ZnMdKhed.exe

description	pid	process
Token: SeDebugPrivilege	1852	vW0wEDKCm80ZnMdKhed.exe
Token: SeDebugPrivilege	1712	RegAsm.exe

pid	process
1712	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exevW0wEDKCm80ZnMdKhed.execsc.exe

description	pid	process	target process
PID 4180 wrote to memory of 1852	4180	7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe	vW0wEDKCm80ZnMdKhed.exe
PID 4180 wrote to memory of 1852	4180	7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe	vW0wEDKCm80ZnMdKhed.exe
PID 4180 wrote to memory of 1852	4180	7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe	vW0wEDKCm80ZnMdKhed.exe
PID 1852 wrote to memory of 4700	1852	vW0wEDKCm80ZnMdKhed.exe	csc.exe
PID 1852 wrote to memory of 4700	1852	vW0wEDKCm80ZnMdKhed.exe	csc.exe
PID 1852 wrote to memory of 4700	1852	vW0wEDKCm80ZnMdKhed.exe	csc.exe
PID 4700 wrote to memory of 2464	4700	csc.exe	cvtres.exe
PID 4700 wrote to memory of 2464	4700	csc.exe	cvtres.exe
PID 4700 wrote to memory of 2464	4700	csc.exe	cvtres.exe
PID 1852 wrote to memory of 4564	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 4564	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 4564	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe
PID 1852 wrote to memory of 1712	1852	vW0wEDKCm80ZnMdKhed.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe
"C:\Users\Admin\AppData\Local\Temp\7066242587e3a00eca52cd992e1e1175b4d9a8de62822118ca5750e563617786.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\vW0wEDKCm80ZnMdKhed.exe
C:\Users\Admin\vW0wEDKCm80ZnMdKhed.exe 1
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED7.tmp" "c:\Users\Admin\AppData\Local\Temp\wjzsvtax\CSCEEE94CED71E3485EA8FB3C429C6EE450.TMP"
4⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8ED7.tmp
Filesize
1KB

MD5
2bce79aebe9bdde46cf1d696ee690113

SHA1
800c31c47d521aa1d4722d58e3f1bf6748a8f28b

SHA256
d58b56abe4b7c40ffcdc3e90c128df3c362b45d244217700a233e17d5771d144

SHA512
2fe0c8c574c96baf3b9c2da1285f01a72207d920b3d767615edb259d9cad74e02d567c126e47f30f68b0fea12f548046b7650bbcdd6d0baa10be89ee92bc280a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.dll
Filesize
5KB

MD5
0789e7e8862063f1c77f276c6c1507be

SHA1
e7e9e50273e84d847b3605e07c4ed7cdbaa9a060

SHA256
742c27ddd1d6faeda7cb009c856d7b5a25edf25d0ff7659fe8155f3f71d52956

SHA512
3a2215fc27c1e3ef5432a1beab6fe52efba1263276b9227530e54caf1b09d600e7ce5f7225a19c3ca450ff8c43505d3a21334eec673e3c08108d8a644c06de89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.pdb
Filesize
15KB

MD5
7253d53335ac4945c465add3c90cf66a

SHA1
a703dec636509da178f04c851f526fd177c33856

SHA256
c1b24321ebd91e28d26a9bf90d216a637bcb47bf74da03b126edf24c3f3f4ea5

SHA512
2b07355c5ec8dffa6ab2fd63f468b9617e42a7242387918eb7fb4cd74804abb8545af00a520011f1ad539fb58e4bd118112ab29346ad9d1f42967b2dceb145c1

Download Submit
C:\Users\Admin\vW0wEDKCm80ZnMdKhed.exe
Filesize
339KB

MD5
b0e7b0b02a31f317bd5285fd973b2f51

SHA1
52b8e10ff270cae050cf5cc43f72fd6cc367fbb8

SHA256
563bedc1171ef94458bc3acddbe2215fb0278ca749e8915a781e1a33678c5c7b

SHA512
f4ee187578a30d40611fb577b24be01131ec28deb26f798269db45ed47fe663ad12b32484d531d010072c8870b93befecadb7a955da0eab05db9d470fe4c8468

Download Submit
C:\Users\Admin\vW0wEDKCm80ZnMdKhed.exe
Filesize
339KB

MD5
b0e7b0b02a31f317bd5285fd973b2f51

SHA1
52b8e10ff270cae050cf5cc43f72fd6cc367fbb8

SHA256
563bedc1171ef94458bc3acddbe2215fb0278ca749e8915a781e1a33678c5c7b

SHA512
f4ee187578a30d40611fb577b24be01131ec28deb26f798269db45ed47fe663ad12b32484d531d010072c8870b93befecadb7a955da0eab05db9d470fe4c8468

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjzsvtax\CSCEEE94CED71E3485EA8FB3C429C6EE450.TMP
Filesize
1KB

MD5
567743744c556664e38a70002fbb4236

SHA1
b86d53b2ee91b5617c68c2183cdd3abaa4df06cb

SHA256
49c2d6dbf50c1ef4a766fc4d8a98e17c7edf072a3a19de15d4c67c395603c75a

SHA512
0eee96477baf3a05b0310f8f30fe977bd84f50d8ec497d5e1e0001be533356339b3cfa6669f25f175176757a51dcdeee270ed9b523aef130c8013927d7afad35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.0.cs
Filesize
2KB

MD5
6777f580d9718e696aaef081870ceabe

SHA1
aef4e152604965ecd26ea4a32ec4282792633043

SHA256
d3ce5a4eafbe7c6ae9e0039facd57059b7cc3f3173663d63433e358e4ceff572

SHA512
f32522d03f482bbfc93b8ac7241cb74fab4c7f19addbeae97969cbcc6410a3117d2279465a1c9bfaa015cc3ac7a9ce2f9714ea6e8607d42906e8ee9a8454c8bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjzsvtax\wjzsvtax.cmdline
Filesize
224B

MD5
8ce89c5c50c33ae7ac044efb81c2b8db

SHA1
5b8327c3ed1ccf29799976196715882732bcbc0a

SHA256
b02a2032d7e67da33dc1a8cfd57ade194c9f7937bd6757a46c7a8ae89f7f3a9e

SHA512
35eb575c44b775e0607981cbaf721e90aac18f3541dbfce4d282031598f72bac756c7828729a60fdbe302f674d21d7e21db2be4ffa8c5ea90bcc774a5eee1aef

Download Submit
memory/1712-147-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/1712-144-0x0000000000000000-mapping.dmp

Download
memory/1712-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1712-146-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/1712-148-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/1712-149-0x0000000005B20000-0x0000000005B32000-memory.dmp

Filesize
72KB

Download
memory/1712-150-0x0000000006580000-0x000000000658A000-memory.dmp

Filesize
40KB

Download
memory/1852-130-0x0000000000000000-mapping.dmp

Download
memory/1852-133-0x0000000000FA0000-0x0000000000FFC000-memory.dmp

Filesize
368KB

Download
memory/1852-142-0x0000000005B90000-0x0000000005C2C000-memory.dmp

Filesize
624KB

Download
memory/2464-137-0x0000000000000000-mapping.dmp

Download
memory/4564-143-0x0000000000000000-mapping.dmp

Download
memory/4700-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads