quasar | a8afb246d8a8e9398de7d889148bbf4e41f62382878e5bf4f20aab2fb77d70b6

General

Target

NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe
Size

3.1MB
MD5

280ff5728b64f9a24386f68898bbd330
SHA1

3ef05ac2cf32f1ac8eddb6098aabb96c27a0196d
SHA256

a8afb246d8a8e9398de7d889148bbf4e41f62382878e5bf4f20aab2fb77d70b6
SHA512

049122f614c17a82f0410f80b9dc9b71b3e6631e2f4987f7433f6c4d002a4eb91e669f54466038ea4ba17c4d7ba5a43775d3366cf07097691211cb9d70b7b850
SSDEEP

49152:uvXI22SsaNYfdPBldt698dBcjH74mNmzTLoGdn+THHB72eh2NT:uvY22SsaNYfdPBldt6+dBcjH74mq

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.104:4782

Mutex

4aade2c7-6235-496f-a7d3-c40b34a897b6

Attributes

encryption_key
A8E5AD56F34EF1249C811E0877C39C207DA2A436
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/memory/2432-0-0x0000000000910000-0x0000000000C34000-memory.dmp	family_quasar
behavioral2/files/0x000a00000002316c-7.dat	family_quasar
behavioral2/files/0x000a00000002316c-8.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3332	Client.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe
File opened for modification	C:\Windows\system32\SubDir	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
944	schtasks.exe
2056	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe
Token: SeDebugPrivilege	3332	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3332	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 944	2432	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe	83
PID 2432 wrote to memory of 944	2432	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe	83
PID 2432 wrote to memory of 3332	2432	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe	85
PID 2432 wrote to memory of 3332	2432	NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe	85
PID 3332 wrote to memory of 2056	3332	Client.exe	86
PID 3332 wrote to memory of 2056	3332	Client.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.280ff5728b64f9a24386f68898bbd330_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:944
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
280ff5728b64f9a24386f68898bbd330

SHA1
3ef05ac2cf32f1ac8eddb6098aabb96c27a0196d

SHA256
a8afb246d8a8e9398de7d889148bbf4e41f62382878e5bf4f20aab2fb77d70b6

SHA512
049122f614c17a82f0410f80b9dc9b71b3e6631e2f4987f7433f6c4d002a4eb91e669f54466038ea4ba17c4d7ba5a43775d3366cf07097691211cb9d70b7b850

Download Submit
C:\Windows\system32\SubDir\Client.exe

Filesize
3.1MB

MD5
280ff5728b64f9a24386f68898bbd330

SHA1
3ef05ac2cf32f1ac8eddb6098aabb96c27a0196d

SHA256
a8afb246d8a8e9398de7d889148bbf4e41f62382878e5bf4f20aab2fb77d70b6

SHA512
049122f614c17a82f0410f80b9dc9b71b3e6631e2f4987f7433f6c4d002a4eb91e669f54466038ea4ba17c4d7ba5a43775d3366cf07097691211cb9d70b7b850

Download Submit
memory/2432-0-0x0000000000910000-0x0000000000C34000-memory.dmp

Filesize
3.1MB

Download
memory/2432-1-0x00007FFE9EFA0000-0x00007FFE9FA61000-memory.dmp

Filesize
10.8MB

Download
memory/2432-2-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/2432-9-0x00007FFE9EFA0000-0x00007FFE9FA61000-memory.dmp

Filesize
10.8MB

Download
memory/3332-10-0x00007FFE9EFA0000-0x00007FFE9FA61000-memory.dmp

Filesize
10.8MB

Download
memory/3332-11-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/3332-12-0x000000001B610000-0x000000001B660000-memory.dmp

Filesize
320KB

Download
memory/3332-13-0x000000001BFE0000-0x000000001C092000-memory.dmp

Filesize
712KB

Download
memory/3332-14-0x00007FFE9EFA0000-0x00007FFE9FA61000-memory.dmp

Filesize
10.8MB

Download
memory/3332-15-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads