quasar | 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1

General

Target

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
Size

3.1MB
MD5

df415a94b93536e36060b33baa82546d
SHA1

08cfa785b11927a3053de2eb3ba9c17b313fca82
SHA256

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1
SHA512

698547aedf83338f1880a8c1ce65c1913cf77f089a6b41473dc62e585884357a63e0711550ae7dbba98a1719cce3a6424be50d6e15305a73fe5b26544d957654
SSDEEP

49152:mvVt62XlaSFNWPjljiFa2RoUYIrT76+zoG6HXu4THHB72eh2NT:mvn62XlaSFNWPjljiFXRoUYIrT76Y

Score

10^/10

quasar office01 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office01

C2

31.220.97.187:443

Mutex

0505375d-d956-4c5c-b735-c942a92b89cb

Attributes

encryption_key
535E12CCD94BDC2CFFD2A9CFF6D5C3251B8CDAE3
install_name
winboot.exe
log_directory
Logs
reconnect_delay
5000
startup_key
UEFI boot
subdirectory
bootufi

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
C:\Windows\System32\bootufi\winboot.exe	family_quasar
C:\Windows\system32\bootufi\winboot.exe	family_quasar
behavioral1/memory/2668-8-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

winboot.exe

pid process

2668 winboot.exe

pid	process
2668	winboot.exe

Drops file in System32 directory 5 IoCs

Processes:

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exe

description	ioc	process
File created	C:\Windows\system32\bootufi\winboot.exe	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
File opened for modification	C:\Windows\system32\bootufi\winboot.exe	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
File opened for modification	C:\Windows\system32\bootufi	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
File opened for modification	C:\Windows\system32\bootufi\winboot.exe	winboot.exe
File opened for modification	C:\Windows\system32\bootufi	winboot.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2656 schtasks.exe
2716 schtasks.exe

pid	process
2656	schtasks.exe
2716	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exe

description	pid	process
Token: SeDebugPrivilege	2132	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
Token: SeDebugPrivilege	2668	winboot.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exe

description	pid	process	target process
PID 2132 wrote to memory of 2656	2132	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	schtasks.exe
PID 2132 wrote to memory of 2656	2132	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	schtasks.exe
PID 2132 wrote to memory of 2656	2132	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	schtasks.exe
PID 2132 wrote to memory of 2668	2132	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	winboot.exe
PID 2132 wrote to memory of 2668	2132	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	winboot.exe
PID 2132 wrote to memory of 2668	2132	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	winboot.exe
PID 2668 wrote to memory of 2716	2668	winboot.exe	schtasks.exe
PID 2668 wrote to memory of 2716	2668	winboot.exe	schtasks.exe
PID 2668 wrote to memory of 2716	2668	winboot.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
"C:\Users\Admin\AppData\Local\Temp\359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\bootufi\winboot.exe
"C:\Windows\system32\bootufi\winboot.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\bootufi\winboot.exe
Filesize
2.1MB

MD5
1abc0053c1f09fc6f4e9d4e29cc0e4fd

SHA1
c85b3bd4d4e8b67569c264311fcc1fc64709f43e

SHA256
b5c0dae9bc4b0dab360ba365864e87296c9d9d8346fd048dde35a71846d572fc

SHA512
e2a414616872d9a1afdd116b5c556ec68f8d0d99c3897b4316099d7ab94962395b19f644f5ddcc6019abc4c71da977760a1c01e626bd3946fc1c0cd2e580121a

Download Submit
C:\Windows\system32\bootufi\winboot.exe
Filesize
1.4MB

MD5
02e50a3e6e6b0b6fab8fd5f8a6d798a7

SHA1
d338aa06322ed36d4d22010fce3e278a21d351a1

SHA256
2f8b22c9f5fc253e2251bed446115c5f87302ae7f72fd913a0b40b625c3b7258

SHA512
f9dbcf6d9adc5fd19a9572929a50797a573c0b1dc797baa4e8cf2d7902d25738bd55927b8768249ea8becf56716919047e5076edeba8d03418780a15b2b18328

Download Submit
memory/2132-0-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/2132-1-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2132-10-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-9-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-11-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download
memory/2668-8-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/2668-12-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-13-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads