quasar | 359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1

General

Target

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
Size

3.1MB
MD5

df415a94b93536e36060b33baa82546d
SHA1

08cfa785b11927a3053de2eb3ba9c17b313fca82
SHA256

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1
SHA512

698547aedf83338f1880a8c1ce65c1913cf77f089a6b41473dc62e585884357a63e0711550ae7dbba98a1719cce3a6424be50d6e15305a73fe5b26544d957654
SSDEEP

49152:mvVt62XlaSFNWPjljiFa2RoUYIrT76+zoG6HXu4THHB72eh2NT:mvn62XlaSFNWPjljiFXRoUYIrT76Y

Score

10^/10

quasar office01 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office01

C2

31.220.97.187:443

Mutex

0505375d-d956-4c5c-b735-c942a92b89cb

Attributes

encryption_key
535E12CCD94BDC2CFFD2A9CFF6D5C3251B8CDAE3
install_name
winboot.exe
log_directory
Logs
reconnect_delay
5000
startup_key
UEFI boot
subdirectory
bootufi

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4260-0-0x00000000008A0000-0x0000000000BC4000-memory.dmp	family_quasar
C:\Windows\system32\bootufi\winboot.exe	family_quasar
C:\Windows\System32\bootufi\winboot.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

winboot.exe

pid process

4148 winboot.exe

pid	process
4148	winboot.exe

Drops file in System32 directory 5 IoCs

Processes:

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exe

description	ioc	process
File opened for modification	C:\Windows\system32\bootufi	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
File opened for modification	C:\Windows\system32\bootufi\winboot.exe	winboot.exe
File opened for modification	C:\Windows\system32\bootufi	winboot.exe
File created	C:\Windows\system32\bootufi\winboot.exe	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
File opened for modification	C:\Windows\system32\bootufi\winboot.exe	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3104 schtasks.exe
2280 schtasks.exe

pid	process
3104	schtasks.exe
2280	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exe

description	pid	process
Token: SeDebugPrivilege	4260	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
Token: SeDebugPrivilege	4148	winboot.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exewinboot.exe

description	pid	process	target process
PID 4260 wrote to memory of 3104	4260	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	schtasks.exe
PID 4260 wrote to memory of 3104	4260	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	schtasks.exe
PID 4260 wrote to memory of 4148	4260	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	winboot.exe
PID 4260 wrote to memory of 4148	4260	359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe	winboot.exe
PID 4148 wrote to memory of 2280	4148	winboot.exe	schtasks.exe
PID 4148 wrote to memory of 2280	4148	winboot.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe
"C:\Users\Admin\AppData\Local\Temp\359367716a543f967e551c97ec94a6bf4c1e7e08cf5c6c0b91aa4e046d44f4d1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\bootufi\winboot.exe
"C:\Windows\system32\bootufi\winboot.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "UEFI boot" /sc ONLOGON /tr "C:\Windows\system32\bootufi\winboot.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\bootufi\winboot.exe
Filesize
143KB

MD5
e77c7d57b0f1a66080941a9e5013ddb6

SHA1
9a64ea597acfcb5c180d8771138aaaa985f0b258

SHA256
00fa52a1e9c92779604f585fff2844366adb79e39e21c9a074bb8b143eeffbd1

SHA512
351f6cd949b07cc0b50b24752728c74ecae4cedee1b2e0736c8faeddf8572e9811a82cc5ff8dce9a3b8597a6fd218ee11dc3f7331334d6494cb8fd3a786a1f6f

Download Submit
C:\Windows\system32\bootufi\winboot.exe
Filesize
91KB

MD5
312884482f517fea629ee5deef8b2aca

SHA1
66b1914ac47fade616cdd126731e0db2f20dd89e

SHA256
c3324ce50ea25e444d00e54d5ea4d2c9394971812e2279374933114daeb2d36b

SHA512
850429fdfdd496b9c2aa33f180e1d1270021c452ba8dc1e806ec9459660b2eb3df3bba4efc3e7e1d937d0a679db5ab451eb325f214cd603a6cf8cb4ddf4a7953

Download Submit
memory/4148-13-0x000000001C430000-0x000000001C4E2000-memory.dmp

Filesize
712KB

Download
memory/4148-10-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmp

Filesize
10.8MB

Download
memory/4148-11-0x000000001BF70000-0x000000001BF80000-memory.dmp

Filesize
64KB

Download
memory/4148-12-0x000000001BEF0000-0x000000001BF40000-memory.dmp

Filesize
320KB

Download
memory/4148-17-0x000000001C3B0000-0x000000001C3EC000-memory.dmp

Filesize
240KB

Download
memory/4148-16-0x000000001BEC0000-0x000000001BED2000-memory.dmp

Filesize
72KB

Download
memory/4148-18-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmp

Filesize
10.8MB

Download
memory/4148-19-0x000000001BF70000-0x000000001BF80000-memory.dmp

Filesize
64KB

Download
memory/4260-9-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmp

Filesize
10.8MB

Download
memory/4260-2-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/4260-1-0x00007FFE59E90000-0x00007FFE5A951000-memory.dmp

Filesize
10.8MB

Download
memory/4260-0-0x00000000008A0000-0x0000000000BC4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads