quasar | 6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62

General

Target

6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
Size

666KB
MD5

aab2ed3890b8b46618a12cdf36e5fdce
SHA1

b0b81e6b2198f5b0019012cfc7579190fb997d68
SHA256

6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62
SHA512

4c0c72d5c31aaa92295d66fa4819d7856ef447e6b1e4c50aca8eef44b23ad3a6dfb0f75550a3da0c0839ebcb968b74409b1e30e5304ed430cff909a3cd690e12
SSDEEP

12288:lnIs/2hGI1yDovUZznE6++jgb21HfHfY4qMuyYcYp00:is/2hGI1y2oE6+ggbCHfHflGZcY00

Score

10^/10

quasar office04 agilenet persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

microsoftteams.ddns.net:4050

Mutex

0c65e585-dc5d-4779-b45f-9df2f3f7e35b

Attributes

encryption_key
CB63860CD5C1811A72AA09D0BD0099CDBDFD9DCC
install_name
Windows Security notification icon.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security notification icon
subdirectory
Windows Security

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1184-62-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1184-64-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1184-65-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1184-66-0x000000000047E83E-mapping.dmp	family_quasar
behavioral1/memory/1184-68-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1184-70-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1520-54-0x0000000000C30000-0x0000000000CDC000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security notification icon = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Security\\SecurityHealthSystray.exe.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe

description	pid	process	target process
PID 1520 set thread context of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1680 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

672 powershell.exe

pid	process
1680	schtasks.exe

pid	process
672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1184	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
Token: SeDebugPrivilege	672	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe

description	pid	process	target process
PID 1520 wrote to memory of 672	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	powershell.exe
PID 1520 wrote to memory of 672	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	powershell.exe
PID 1520 wrote to memory of 672	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	powershell.exe
PID 1520 wrote to memory of 672	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	powershell.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1520 wrote to memory of 1184	1520	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
PID 1184 wrote to memory of 1680	1184	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	schtasks.exe
PID 1184 wrote to memory of 1680	1184	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	schtasks.exe
PID 1184 wrote to memory of 1680	1184	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	schtasks.exe
PID 1184 wrote to memory of 1680	1184	6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
"C:\Users\Admin\AppData\Local\Temp\6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security notification icon';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security notification icon' -Value '"C:\Users\Admin\AppData\Roaming\Windows Security\SecurityHealthSystray.exe.exe"' -PropertyType 'String'
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Users\Admin\AppData\Local\Temp\6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe
"C:\Users\Admin\AppData\Local\Temp\6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\6d77dca34129cb6561776280dc4e427dbb3dc393546296b1bb6e62f14f678c62.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1680

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-58-0x0000000000000000-mapping.dmp

Download
memory/672-76-0x000000006ECD0000-0x000000006F27B000-memory.dmp

Filesize
5.7MB

Download
memory/672-75-0x000000006ECD0000-0x000000006F27B000-memory.dmp

Filesize
5.7MB

Download
memory/672-74-0x000000006ECD0000-0x000000006F27B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-64-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1184-59-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1184-60-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1184-62-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1184-65-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1184-66-0x000000000047E83E-mapping.dmp

Download
memory/1184-68-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1184-70-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1520-54-0x0000000000C30000-0x0000000000CDC000-memory.dmp

Filesize
688KB

Download
memory/1520-57-0x00000000049C0000-0x0000000004A58000-memory.dmp

Filesize
608KB

Download
memory/1520-56-0x0000000000B40000-0x0000000000BD6000-memory.dmp

Filesize
600KB

Download
memory/1520-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1680-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads