quasar | 2d8303d0f7da26b7c791c4c7452b94bd5dea8f32754476aa3be823e3d1975bc1

General

Target

WindowsUpdate.exe
Size

3.1MB
MD5

ba6464dabb825a3617600356e67bc80b
SHA1

257c884ac1fc6849622b66b3a73a4d5e318171bd
SHA256

2d8303d0f7da26b7c791c4c7452b94bd5dea8f32754476aa3be823e3d1975bc1
SHA512

19ff0a41ced01da5820282d6758efd6d20778c6a6a2d3f3ddc03b5e7debee2b2ccca51ad62609c86d0b97b476dfbcd30a34abbe60b631a43538802995568c6be
SSDEEP

49152:3vHI22SsaNYfdPBldt698dBcjHw1RJ62bR3LoGd8ERTHHB72eh2NT:3vo22SsaNYfdPBldt6+dBcjHw1RJ6w

Score

10^/10

quasar office spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office

C2

192.168.1.56:4782

Mutex

982f6dbb-abc1-4202-b7bb-99818e45a4f9

Attributes

encryption_key
B9F5D103305EFF7116595EA78C8E89F50419A04E
install_name
RuntimeBroker.exe
log_directory
CrashLogs
reconnect_delay
3000
startup_key
conhost
subdirectory
System Restore

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral1/files/0x0006000000023201-8.dat	family_quasar
behavioral1/files/0x0006000000023201-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4056	RuntimeBroker.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\System Restore\RuntimeBroker.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\system32\System Restore\RuntimeBroker.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\system32\System Restore	WindowsUpdate.exe
File opened for modification	C:\Windows\system32\System Restore\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\System Restore	RuntimeBroker.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2768	schtasks.exe
1376	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	WindowsUpdate.exe
Token: SeDebugPrivilege	4056	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4056	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2768	2936	WindowsUpdate.exe	92
PID 2936 wrote to memory of 2768	2936	WindowsUpdate.exe	92
PID 2936 wrote to memory of 4056	2936	WindowsUpdate.exe	94
PID 2936 wrote to memory of 4056	2936	WindowsUpdate.exe	94
PID 4056 wrote to memory of 1376	4056	RuntimeBroker.exe	97
PID 4056 wrote to memory of 1376	4056	RuntimeBroker.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "conhost" /sc ONLOGON /tr "C:\Windows\system32\System Restore\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2768
- C:\Windows\system32\System Restore\RuntimeBroker.exe
  "C:\Windows\system32\System Restore\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "conhost" /sc ONLOGON /tr "C:\Windows\system32\System Restore\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\System Restore\RuntimeBroker.exe

Filesize
1.5MB

MD5
c4eea02b8fb68bb72e220f8cb4c7a500

SHA1
2aca80a4e958bdfadae747799f59b417ddb69e4d

SHA256
d24f11c9052474eb91ffef6e682e54caa6ab924394ab5d4893ad977889d33ebd

SHA512
f6ece337a0c3a46434e2094f3af0d5eb8cacfb9bdb3d3698abfdbfe134667e70985ed20f04d7dd4ced20c5581a310a362f50f1aca64fba6e03ee9e62db9f5fa9

Download Submit
C:\Windows\system32\System Restore\RuntimeBroker.exe

Filesize
1.4MB

MD5
85a5b8c9e965552631fa19edfdef4dd8

SHA1
8e9da5f4c1924256b04f997ce960e09b29994268

SHA256
d98ad838cd357afa54a8294fd27b7aa6b82e4fa245d7038b38fb0c7ba9e1042f

SHA512
237a742a282ca1614d65a285a10ba4bf24ac2a2000382d1b700e69b8f471c3a4afbd02bd4ed6a66be8e5244ad68d6471dae2f3ed7e4d9f55e2012c3bf21e5e9e

Download Submit
memory/2936-0-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/2936-1-0x00007FFE372D0000-0x00007FFE37D91000-memory.dmp

Filesize
10.8MB

Download
memory/2936-2-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2936-10-0x00007FFE372D0000-0x00007FFE37D91000-memory.dmp

Filesize
10.8MB

Download
memory/4056-9-0x00007FFE372D0000-0x00007FFE37D91000-memory.dmp

Filesize
10.8MB

Download
memory/4056-11-0x000000001D750000-0x000000001D7A0000-memory.dmp

Filesize
320KB

Download
memory/4056-12-0x000000001D860000-0x000000001D912000-memory.dmp

Filesize
712KB

Download
memory/4056-13-0x00007FFE372D0000-0x00007FFE37D91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads