quasar | 3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8

General

Target

tmp.exe
Size

17KB
MD5

f6f83ba3f1e87503941e50b3e50d390f
SHA1

6983d00bc9cda93f0da126504d99a851ffef6cea
SHA256

3fb34d34eaa6800dce2dce585ec89a9b3f98637c624c8774945af5ad8a37a3e8
SHA512

d9afb2024c16229d1245d1c8faf1a5fb7b1c2a4c2e379078e0c70493c8dedc7fb76be3233c4e9757168382b27b8ae4f17726209af893297fe67838472443e3d4
SSDEEP

384:O0CqWx4t+dWNzuY7/aAygucwhb6v/uFi:O0CL4sBTguJmei

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

51.89.157.248:4782

Mutex

MvfU8Y7jQptTEqcSWG

Attributes

encryption_key
gfcyUhYEMEq5BWNn8aVX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3692-147-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverHelp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\DriverHelp.exe\""	tmp.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 400 set thread context of 3692 400 tmp.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2064 powershell.exe
2064 powershell.exe
2228 powershell.exe
2228 powershell.exe

flow	ioc
14	ip-api.com

description	pid	process	target process
PID 400 set thread context of 3692	400	tmp.exe	RegAsm.exe

pid	process
2064	powershell.exe
2064	powershell.exe
2228	powershell.exe
2228	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	400	tmp.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	3692	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

3692 RegAsm.exe

pid	process
3692	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 400 wrote to memory of 2064	400	tmp.exe	powershell.exe
PID 400 wrote to memory of 2064	400	tmp.exe	powershell.exe
PID 400 wrote to memory of 2064	400	tmp.exe	powershell.exe
PID 400 wrote to memory of 4400	400	tmp.exe	cmd.exe
PID 400 wrote to memory of 4400	400	tmp.exe	cmd.exe
PID 400 wrote to memory of 4400	400	tmp.exe	cmd.exe
PID 4400 wrote to memory of 2228	4400	cmd.exe	powershell.exe
PID 4400 wrote to memory of 2228	4400	cmd.exe	powershell.exe
PID 4400 wrote to memory of 2228	4400	cmd.exe	powershell.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe
PID 400 wrote to memory of 3692	400	tmp.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
cf7e8e073ac6490d693e7910c57f23f0

SHA1
d6a03f22a641bc5a7eadeb9d60849fdfa36f704d

SHA256
8b9913410404127bb7aa63fe1e71ffd3d19ef02644ab077df9181a7f788943ef

SHA512
58caf94e359ed8dc7de1dea120f3c039546cbed8aefa462cc265553b0b910452b89a2801758ed7c04fc8bfd6c5c9daf9dce7cb7dfd987d7fbd58516ed15600dd

Download Submit
memory/400-133-0x0000000005CF0000-0x0000000005D12000-memory.dmp

Filesize
136KB

Download
memory/400-132-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/2064-138-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/2064-137-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2064-139-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/2064-140-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/2064-141-0x0000000006870000-0x000000000688A000-memory.dmp

Filesize
104KB

Download
memory/2064-136-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/2064-135-0x0000000004D90000-0x0000000004DC6000-memory.dmp

Filesize
216KB

Download
memory/2064-134-0x0000000000000000-mapping.dmp

Download
memory/2228-153-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/2228-154-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/2228-161-0x00000000070B0000-0x00000000070B8000-memory.dmp

Filesize
32KB

Download
memory/2228-160-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/2228-159-0x0000000005A00000-0x0000000005A0E000-memory.dmp

Filesize
56KB

Download
memory/2228-143-0x0000000000000000-mapping.dmp

Download
memory/2228-151-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

Filesize
200KB

Download
memory/2228-152-0x0000000071A40000-0x0000000071A8C000-memory.dmp

Filesize
304KB

Download
memory/2228-155-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/3692-146-0x0000000000000000-mapping.dmp

Download
memory/3692-156-0x0000000006000000-0x0000000006012000-memory.dmp

Filesize
72KB

Download
memory/3692-157-0x0000000006420000-0x000000000645C000-memory.dmp

Filesize
240KB

Download
memory/3692-158-0x0000000006790000-0x000000000679A000-memory.dmp

Filesize
40KB

Download
memory/3692-149-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/3692-148-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/3692-147-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4400-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads