quasar | 462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0

General

Target

Setup NanoCore.exe
Size

502KB
MD5

2432a79f87ae0700a2f681bb4c80fc7d
SHA1

7305644f24889c2d1184b1917427ef73b25b3c9d
SHA256

462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0
SHA512

ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72
SSDEEP

6144:oTEgdc0YZXbZvdo6EsRwdCO+ZSOD/A6uscEwqb8F9WQLSqYYcTR32:oTEgdfYvdo6VZksgN7S1Ycd2

Score

10^/10

quasar office01 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office01

C2

192.168.126.1:4782

5.165.98.151:4782

Mutex

a85aa22e-e90d-4495-8562-3795974d8493

Attributes

encryption_key
11F19CA636E6BC02F3A0417454F784805D789D97
install_name
NanoCore.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Startup
subdirectory
AntiMalware Service Рфслув

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1344-54-0x0000000000220000-0x00000000002A4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe	family_quasar
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe	family_quasar
behavioral1/memory/1676-60-0x00000000001E0000-0x0000000000264000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

NanoCore.exe

pid process

1676 NanoCore.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

824 schtasks.exe
1756 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Setup NanoCore.exeNanoCore.exe

description pid process

Token: SeDebugPrivilege 1344 Setup NanoCore.exe
Token: SeDebugPrivilege 1676 NanoCore.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NanoCore.exe

pid process

1676 NanoCore.exe

pid	process
1676	NanoCore.exe

pid	process
824	schtasks.exe
1756	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1344	Setup NanoCore.exe
Token: SeDebugPrivilege	1676	NanoCore.exe

pid	process
1676	NanoCore.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup NanoCore.exeNanoCore.exe

description	pid	process	target process
PID 1344 wrote to memory of 824	1344	Setup NanoCore.exe	schtasks.exe
PID 1344 wrote to memory of 824	1344	Setup NanoCore.exe	schtasks.exe
PID 1344 wrote to memory of 824	1344	Setup NanoCore.exe	schtasks.exe
PID 1344 wrote to memory of 1676	1344	Setup NanoCore.exe	NanoCore.exe
PID 1344 wrote to memory of 1676	1344	Setup NanoCore.exe	NanoCore.exe
PID 1344 wrote to memory of 1676	1344	Setup NanoCore.exe	NanoCore.exe
PID 1676 wrote to memory of 1756	1676	NanoCore.exe	schtasks.exe
PID 1676 wrote to memory of 1756	1676	NanoCore.exe	schtasks.exe
PID 1676 wrote to memory of 1756	1676	NanoCore.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe
"C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Setup NanoCore.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:824

C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe
"C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe
Filesize
502KB

MD5
2432a79f87ae0700a2f681bb4c80fc7d

SHA1
7305644f24889c2d1184b1917427ef73b25b3c9d

SHA256
462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0

SHA512
ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72

Download Submit
C:\Users\Admin\AppData\Roaming\AntiMalware Service Рфслув\NanoCore.exe
Filesize
502KB

MD5
2432a79f87ae0700a2f681bb4c80fc7d

SHA1
7305644f24889c2d1184b1917427ef73b25b3c9d

SHA256
462f9fb435ede4892a1b4ffaadcb747825d2c361f6b153beee552ec295c48dc0

SHA512
ee265f09302b8ed65a1133dcedea0619c2f54544760e4f819da91528487c9870aa659dfc9ac731536ea0d70401188d1afb966b30505f77d58d71fdceb86e3c72

Download Submit
memory/824-56-0x0000000000000000-mapping.dmp

Download
memory/1344-54-0x0000000000220000-0x00000000002A4000-memory.dmp

Filesize
528KB

Download
memory/1344-55-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1676-57-0x0000000000000000-mapping.dmp

Download
memory/1676-60-0x00000000001E0000-0x0000000000264000-memory.dmp

Filesize
528KB

Download
memory/1756-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads