quasar | d69de6f4205696769caffe6bc3b75fd2da005041dcd88c110da9937a159233b6

General

Target

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
Size

502KB
MD5

f4a3d9404ad522ec1b9bd8feb8dca3b5
SHA1

33201170d62419689b5685b22325512c27ca16ab
SHA256

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88
SHA512

c593bab9c02e4a5a78d420710e422e8b562e2d2e040c745a75aac4a44695ec8d8e83ef999abd17fdd0db0e668a390d93f9d121446fb2f702d982e0bc8e04beea
SSDEEP

6144:8zAOLe5C9/l3Iv3hlwJYrCp5+kP/af/9jwlYj4ixSP7PtcaZuSrg6n2i3UMyoQTk:8zxICbojRxEceusRn1EvQY

Score

10^/10

quasar office spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

37.1.207.27:222

Mutex

7xg1muSKali1I2y5IZ

Attributes

encryption_key
KWyZntdiPrrGnzylskuR
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3576-10-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

description	pid	process	target process
PID 3128 set thread context of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

pid	process
3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

description	pid	process
Token: SeDebugPrivilege	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
Token: SeDebugPrivilege	3576	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

pid process

3576 9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

pid	process
3576	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

description	pid	process	target process
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
PID 3128 wrote to memory of 3576	3128	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe	9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe

C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
"C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
C:\Users\Admin\AppData\Local\Temp\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9d737c768d419aed55de299a114fb8b4928d263320caa4b35c08f4c0bb3fcb88.exe.log
Filesize
418B

MD5
50045c5c59ae3eb2db5452fb39e13335

SHA1
56226b40d4458df7e92f802381401e4183c97cb2

SHA256
b90b2a4ba2c69f094edce48807ad1873b1265c83795139fbf4576697fe65cae9

SHA512
bb20f9389e69e4a17fa254bd3b77212797f3be159ec6129b3a1501db3e24fb7b12096fbdbfcc93c24ecdb3cea88eae8a58e279b39c0777b6a4e9d4c15057faa4

Download Submit
memory/3128-14-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3128-1-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3128-2-0x00000000018C0000-0x00000000018D0000-memory.dmp

Filesize
64KB

Download
memory/3128-3-0x00000000056E0000-0x0000000005752000-memory.dmp

Filesize
456KB

Download
memory/3128-4-0x0000000005890000-0x0000000005900000-memory.dmp

Filesize
448KB

Download
memory/3128-5-0x00000000059A0000-0x0000000005A3C000-memory.dmp

Filesize
624KB

Download
memory/3128-6-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3128-7-0x00000000018C0000-0x00000000018D0000-memory.dmp

Filesize
64KB

Download
memory/3128-8-0x00000000016E0000-0x0000000001748000-memory.dmp

Filesize
416KB

Download
memory/3128-9-0x00000000065F0000-0x0000000006B94000-memory.dmp

Filesize
5.6MB

Download
memory/3128-0-0x0000000000D40000-0x0000000000DC6000-memory.dmp

Filesize
536KB

Download
memory/3576-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3576-13-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3576-15-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/3576-16-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3576-17-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/3576-18-0x0000000005B30000-0x0000000005B42000-memory.dmp

Filesize
72KB

Download
memory/3576-19-0x00000000060B0000-0x00000000060EC000-memory.dmp

Filesize
240KB

Download
memory/3576-21-0x0000000006420000-0x000000000642A000-memory.dmp

Filesize
40KB

Download
memory/3576-22-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3576-23-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads