quasar | d69de6f4205696769caffe6bc3b75fd2da005041dcd88c110da9937a159233b6

General

Target

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
Size

502KB
MD5

f4a3d9404ad522ec1b9bd8feb8dca3b5
SHA1

33201170d62419689b5685b22325512c27ca16ab
SHA256

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88
SHA512

c593bab9c02e4a5a78d420710e422e8b562e2d2e040c745a75aac4a44695ec8d8e83ef999abd17fdd0db0e668a390d93f9d121446fb2f702d982e0bc8e04beea
SSDEEP

6144:8zAOLe5C9/l3Iv3hlwJYrCp5+kP/af/9jwlYj4ixSP7PtcaZuSrg6n2i3UMyoQTk:8zxICbojRxEceusRn1EvQY

Score

10^/10

quasar office spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

37.1.207.27:222

Mutex

7xg1muSKali1I2y5IZ

Attributes

encryption_key
KWyZntdiPrrGnzylskuR
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2624-12-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2624-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2624-21-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2624-18-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2624-23-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2624-25-0x0000000004A80000-0x0000000004AC0000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

description	pid	process	target process
PID 1184 set thread context of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

pid	process
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

description	pid	process
Token: SeDebugPrivilege	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
Token: SeDebugPrivilege	2624	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

pid process

2624 9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

pid	process
2624	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
"C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
2⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
2⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-1-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/1184-0-0x0000000000330000-0x00000000003B6000-memory.dmp

Filesize
536KB

Download
memory/1184-2-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/1184-3-0x00000000008F0000-0x0000000000962000-memory.dmp

Filesize
456KB

Download
memory/1184-4-0x0000000002330000-0x00000000023A0000-memory.dmp

Filesize
448KB

Download
memory/1184-5-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/1184-6-0x0000000000780000-0x00000000007C0000-memory.dmp

Filesize
256KB

Download
memory/1184-7-0x00000000051F0000-0x0000000005258000-memory.dmp

Filesize
416KB

Download
memory/1184-20-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2624-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2624-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2624-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2624-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2624-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2624-23-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2624-24-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-25-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/2624-27-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-28-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 1184 wrote to memory of 2112	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2112	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2112	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2112	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2700	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2700	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2700	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2700	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 1184 wrote to memory of 2624	1184	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads