quasar | a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c

General

Target

2386d1e1a35e51b0c869655580ab6431.exe
Size

3.1MB
MD5

2386d1e1a35e51b0c869655580ab6431
SHA1

44de49d3050793f1cea18a62fc7649c96deebaa7
SHA256

a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
SHA512

69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
SSDEEP

49152:nv+lL26AaNeWgPhlmVqvMQ7XSKOEoDkE2HBk/+F5oGd1LTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSKroDKX

Score

10^/10

quasar office01 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office01

C2

www.exiles.site:14782

192.151.244.144:14782

Mutex

32d6a0e2-190a-4f87-8d62-64ccb78f703b

Attributes

encryption_key
A1F8672246A55DFAFA317BFDC5F14C91A5B344B9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/1104-8-0x0000000000310000-0x0000000000634000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1104 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2964 schtasks.exe
2812 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2386d1e1a35e51b0c869655580ab6431.exeClient.exe

description pid process

Token: SeDebugPrivilege 2176 2386d1e1a35e51b0c869655580ab6431.exe
Token: SeDebugPrivilege 1104 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1104 Client.exe

pid	process
1104	Client.exe

pid	process
2964	schtasks.exe
2812	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2176	2386d1e1a35e51b0c869655580ab6431.exe
Token: SeDebugPrivilege	1104	Client.exe

pid	process
1104	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2386d1e1a35e51b0c869655580ab6431.exeClient.exe

description	pid	process	target process
PID 2176 wrote to memory of 2964	2176	2386d1e1a35e51b0c869655580ab6431.exe	schtasks.exe
PID 2176 wrote to memory of 2964	2176	2386d1e1a35e51b0c869655580ab6431.exe	schtasks.exe
PID 2176 wrote to memory of 2964	2176	2386d1e1a35e51b0c869655580ab6431.exe	schtasks.exe
PID 2176 wrote to memory of 1104	2176	2386d1e1a35e51b0c869655580ab6431.exe	Client.exe
PID 2176 wrote to memory of 1104	2176	2386d1e1a35e51b0c869655580ab6431.exe	Client.exe
PID 2176 wrote to memory of 1104	2176	2386d1e1a35e51b0c869655580ab6431.exe	Client.exe
PID 1104 wrote to memory of 2812	1104	Client.exe	schtasks.exe
PID 1104 wrote to memory of 2812	1104	Client.exe	schtasks.exe
PID 1104 wrote to memory of 2812	1104	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe
"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2964

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
1024KB

MD5
16015fbd05ec4aa780ac649ecb3f00fd

SHA1
7bf57070a7d0e29a78e71f6dd6dc7d084f98a8f3

SHA256
5e626d87f6b38d573e4a12250e440f16d42600f76788077693833976dbee22c7

SHA512
fa3f601e0f9efaa473f70ac7862d851d2747911dc0f0edf15067f0a0326c60c86e5e0a1eb1d4cfc3dccd4602dfffc2621a55a38b1a9d859f8874e70dd4226756

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
2386d1e1a35e51b0c869655580ab6431

SHA1
44de49d3050793f1cea18a62fc7649c96deebaa7

SHA256
a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c

SHA512
69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946

Download Submit
memory/1104-8-0x0000000000310000-0x0000000000634000-memory.dmp

Filesize
3.1MB

Download
memory/1104-9-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/1104-10-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/1104-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/1104-13-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2176-0-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download
memory/2176-1-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2176-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2176-11-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads