quasar | 3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8

General

Target

tmp.exe
Size

17KB
MD5

f6f83ba3f1e87503941e50b3e50d390f
SHA1

6983d00bc9cda93f0da126504d99a851ffef6cea
SHA256

3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8
SHA512

d9afb2024c16229d1245d1c8faf1a5fb7b1c2a4c2e379078e0c70493c8dedc7fb76be3233c4e9757168382b27b8ae4f17726209af893297fe67838472443e3d4
SSDEEP

384:O0CqWx4t+dWNzuY7/aAygucwhb6v/uFi:O0CL4sBTguJmei

Score

10^/10

quasar revengerat office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

51.89.157.248:4782

Mutex

MvfU8Y7jQptTEqcSWG

Attributes

encryption_key
gfcyUhYEMEq5BWNn8aVX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-73-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1732-72-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1732-74-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1732-75-0x000000000044943E-mapping.dmp	family_quasar
behavioral1/memory/1732-79-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1732-77-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\DriverHelp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\DriverHelp.exe\""	tmp.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1744 set thread context of 1732 1744 tmp.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exetmp.exe

pid process

1464 powershell.exe
1568 powershell.exe
1744 tmp.exe
1744 tmp.exe
1744 tmp.exe
1744 tmp.exe

flow	ioc
9	ip-api.com

description	pid	process	target process
PID 1744 set thread context of 1732	1744	tmp.exe	RegAsm.exe

pid	process
1464	powershell.exe
1568	powershell.exe
1744	tmp.exe
1744	tmp.exe
1744	tmp.exe
1744	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1744	tmp.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1732	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1732 RegAsm.exe

pid	process
1732	RegAsm.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 1464	1744	tmp.exe	powershell.exe
PID 1744 wrote to memory of 1464	1744	tmp.exe	powershell.exe
PID 1744 wrote to memory of 1464	1744	tmp.exe	powershell.exe
PID 1744 wrote to memory of 1464	1744	tmp.exe	powershell.exe
PID 1744 wrote to memory of 808	1744	tmp.exe	cmd.exe
PID 1744 wrote to memory of 808	1744	tmp.exe	cmd.exe
PID 1744 wrote to memory of 808	1744	tmp.exe	cmd.exe
PID 1744 wrote to memory of 808	1744	tmp.exe	cmd.exe
PID 808 wrote to memory of 1568	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 1568	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 1568	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 1568	808	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1524	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1524	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1524	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1524	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1524	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1524	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1524	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 844	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 844	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 844	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 844	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 844	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 844	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 844	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe
PID 1744 wrote to memory of 1732	1744	tmp.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
286e0c9841f4a0fe8798dfaf632e0a4d

SHA1
44555f9b7f7e1813f538492450dd9492ebc1b3f4

SHA256
94d3ad3197360a9bd9c4d7c5520b63b9c9acb3ffb28e94cb7b8e5c3178d9b20f

SHA512
658f43ba6872ea95af3191256ba08d8a9f320c26018f218c8e7835c94e91d5971296ba2b0c68aca8a6e3e6b247b30b9884941108d5baeae3e95a4612c46984b3

Download Submit
memory/808-63-0x0000000000000000-mapping.dmp

Download
memory/1464-60-0x000000006F800000-0x000000006FDAB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-61-0x000000006F800000-0x000000006FDAB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-58-0x0000000000000000-mapping.dmp

Download
memory/1464-62-0x000000006F800000-0x000000006FDAB000-memory.dmp

Filesize
5.7MB

Download
memory/1568-67-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-64-0x0000000000000000-mapping.dmp

Download
memory/1732-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1732-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1732-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1732-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1732-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1732-75-0x000000000044943E-mapping.dmp

Download
memory/1732-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1732-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1744-56-0x0000000005950000-0x0000000005AC6000-memory.dmp

Filesize
1.5MB

Download
memory/1744-55-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1744-57-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/1744-68-0x0000000004EA0000-0x0000000004EFC000-memory.dmp

Filesize
368KB

Download
memory/1744-54-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads