quasar | 641a1a8dd5377977e5d961268e88b5cfcaa679191cbf0ea34a53f8132a342b0f

General

Target

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe
Size

11.3MB
MD5

7b79bbfe338448b0de666215060d2cbc
SHA1

d8ca513e1e85e1a8dd6a81824f86064fad19419a
SHA256

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03
SHA512

e621286081db8ea041aaf148b233d52d8c4fdfd5ef0fa5327e17622ff3e19d8c6b6c25881b3f396e93c7aaacd0ed3e3baca7be59a508a5232534e3f777a99e50
SSDEEP

196608:ChTb9B0BPrDz4pxgZZPy5RmStgxb/z6FDiSJXqeUh4mT+uFk8spbVgo87e8YU:sTb9epDz4MZZ4RmxYDiScfhHjeV+vK8Y

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.237:4782

Mutex

08ac4250-96f9-44da-b030-99dcc4597b28

Attributes

encryption_key
D43A8C9C8C9A74741CBEA4F1A01C53C2F8DF8AC2
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4820-145-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Suspicious use of SetThreadContext 1 IoCs

Processes:

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe

description	pid	process	target process
PID 1984 set thread context of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe
Token: SeDebugPrivilege	4820	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RegAsm.exe

pid process

4820 RegAsm.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

RegAsm.exe

pid process

4820 RegAsm.exe

pid	process
4820	RegAsm.exe

pid	process
4820	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe

description	pid	process	target process
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe
PID 1984 wrote to memory of 4820	1984	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe
"C:\Users\Admin\AppData\Local\Temp\150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-133-0x0000000000CE0000-0x0000000001836000-memory.dmp

Filesize
11.3MB

Download
memory/1984-134-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/1984-135-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/1984-136-0x0000000005CE0000-0x0000000005CE8000-memory.dmp

Filesize
32KB

Download
memory/1984-137-0x0000000007B70000-0x0000000007BE6000-memory.dmp

Filesize
472KB

Download
memory/1984-138-0x00000000093F0000-0x00000000093F8000-memory.dmp

Filesize
32KB

Download
memory/1984-139-0x0000000009630000-0x0000000009638000-memory.dmp

Filesize
32KB

Download
memory/1984-140-0x000000000A3D0000-0x000000000A3EE000-memory.dmp

Filesize
120KB

Download
memory/1984-141-0x000000000C0C0000-0x000000000C664000-memory.dmp

Filesize
5.6MB

Download
memory/1984-142-0x000000000BBB0000-0x000000000BC42000-memory.dmp

Filesize
584KB

Download
memory/1984-143-0x000000000BB30000-0x000000000BB3A000-memory.dmp

Filesize
40KB

Download
memory/1984-144-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4820-145-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/4820-147-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4820-148-0x0000000006B80000-0x0000000007198000-memory.dmp

Filesize
6.1MB

Download
memory/4820-149-0x0000000006710000-0x0000000006760000-memory.dmp

Filesize
320KB

Download
memory/4820-150-0x0000000006970000-0x0000000006A22000-memory.dmp

Filesize
712KB

Download
memory/4820-151-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads