quasar | 1f3f243a8fbc3468bbdd7abdf0f2d1b91e8cf8a3cecb8db1bfbe5fa6288809bd

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/05/2023, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe
Size

4.4MB
MD5

e862112b0a3781dcf75eaf11b8b6ea7d
SHA1

725b9a18c2c6cdd616ad10d6f9e977753c7eb0e4
SHA256

5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135
SHA512

6a5ebf286858e2a814fedf81fae111bd4468eaafe19ecc2a7eadf2d441b9584bab4ee4a3c5f83415d5cc31bbe11f7888e6dbe2a0a8a006affaefe463de3f535f
SSDEEP

98304:+4uKDZOjVXFcG7BEcyZeW+gP/i6jepIA90sK6LovYr5K49ZQ:+4uKDeFT7BEcyZpDP/RERXKsog5BHQ

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

microsoftbackup.duckdns.org:47600

Mutex

b97303a2-a8f5-4170-91c1-56adceee5081

Attributes

encryption_key
A31E078A7CC45D3676D5AE3FB460C3E365219397
install_name
Client.exe
log_directory
Log
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/1792-77-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1792-78-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1792-80-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1792-82-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1792-84-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\serviceupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\serviceupdate.exe\""	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1368	ipconfig.exe
1944	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1772	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1792	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1792	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1736	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	27
PID 2044 wrote to memory of 1736	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	27
PID 2044 wrote to memory of 1736	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	27
PID 2044 wrote to memory of 1736	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	27
PID 1736 wrote to memory of 1368	1736	cmd.exe	29
PID 1736 wrote to memory of 1368	1736	cmd.exe	29
PID 1736 wrote to memory of 1368	1736	cmd.exe	29
PID 1736 wrote to memory of 1368	1736	cmd.exe	29
PID 2044 wrote to memory of 1772	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	30
PID 2044 wrote to memory of 1772	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	30
PID 2044 wrote to memory of 1772	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	30
PID 2044 wrote to memory of 1772	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	30
PID 2044 wrote to memory of 2028	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	32
PID 2044 wrote to memory of 2028	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	32
PID 2044 wrote to memory of 2028	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	32
PID 2044 wrote to memory of 2028	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	32
PID 2028 wrote to memory of 1604	2028	cmd.exe	34
PID 2028 wrote to memory of 1604	2028	cmd.exe	34
PID 2028 wrote to memory of 1604	2028	cmd.exe	34
PID 2028 wrote to memory of 1604	2028	cmd.exe	34
PID 2044 wrote to memory of 1788	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	35
PID 2044 wrote to memory of 1788	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	35
PID 2044 wrote to memory of 1788	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	35
PID 2044 wrote to memory of 1788	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	35
PID 1788 wrote to memory of 1944	1788	cmd.exe	37
PID 1788 wrote to memory of 1944	1788	cmd.exe	37
PID 1788 wrote to memory of 1944	1788	cmd.exe	37
PID 1788 wrote to memory of 1944	1788	cmd.exe	37
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38
PID 2044 wrote to memory of 1792	2044	5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe	38

C:\Users\Admin\AppData\Local\Temp\5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe
"C:\Users\Admin\AppData\Local\Temp\5b1365bd1c3648fdfe1aa9699e1647b3967bf3824c0b03eb4e67ef4599840135.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DZ36KH2USTDZQ9A14UYI.temp

Filesize
7KB

MD5
a50eed864c8df86ee93d2962297c6985

SHA1
e6adf5e563209c7682428ee8e4fce29044375144

SHA256
6c7d3e60da1bf4fbd2063869b08b561565a62e1a468d4472e716d2eee299b09e

SHA512
6e5bca5fc24d7372c4304815fe7dfd5434b80c1900a9de56b4846877d34a5f4f3ede2aa100246a158af410c4abf1f69470a8cfd1dd0ec97eff8756538e303bac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a50eed864c8df86ee93d2962297c6985

SHA1
e6adf5e563209c7682428ee8e4fce29044375144

SHA256
6c7d3e60da1bf4fbd2063869b08b561565a62e1a468d4472e716d2eee299b09e

SHA512
6e5bca5fc24d7372c4304815fe7dfd5434b80c1900a9de56b4846877d34a5f4f3ede2aa100246a158af410c4abf1f69470a8cfd1dd0ec97eff8756538e303bac

Download Submit
memory/1772-62-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1772-63-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1772-67-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1772-66-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1772-65-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/1792-84-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1792-82-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1792-78-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1792-85-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/1792-75-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1792-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-80-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1792-86-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/1792-77-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1792-76-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2044-64-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2044-55-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2044-57-0x00000000096E0000-0x0000000009AA2000-memory.dmp

Filesize
3.8MB

Download
memory/2044-56-0x00000000091E0000-0x00000000096DE000-memory.dmp

Filesize
5.0MB

Download
memory/2044-54-0x0000000000140000-0x00000000005A4000-memory.dmp

Filesize
4.4MB

Download
memory/2044-59-0x0000000004500000-0x0000000004592000-memory.dmp

Filesize
584KB

Download
memory/2044-58-0x0000000006160000-0x000000000628E000-memory.dmp

Filesize
1.2MB

Download