quasar | a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c

General

Target

a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe
Size

3.1MB
MD5

2386d1e1a35e51b0c869655580ab6431
SHA1

44de49d3050793f1cea18a62fc7649c96deebaa7
SHA256

a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
SHA512

69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946
SSDEEP

49152:nv+lL26AaNeWgPhlmVqvMQ7XSKOEoDkE2HBk/+F5oGd1LTHHB72eh2NT:nvuL26AaNeWgPhlmVqkQ7XSKroDKX

Score

10^/10

quasar office01 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office01

C2

www.exiles.site:14782

192.151.244.144:14782

Mutex

32d6a0e2-190a-4f87-8d62-64ccb78f703b

Attributes

encryption_key
A1F8672246A55DFAFA317BFDC5F14C91A5B344B9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2624 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2328 schtasks.exe
2636 schtasks.exe

pid	process
2624	Client.exe

pid	process
2328	schtasks.exe
2636	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2752	a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe
Token: SeDebugPrivilege	2624	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2624 Client.exe

pid	process
2624	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exeClient.exe

description	pid	process	target process
PID 2752 wrote to memory of 2328	2752	a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe	schtasks.exe
PID 2752 wrote to memory of 2328	2752	a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe	schtasks.exe
PID 2752 wrote to memory of 2328	2752	a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe	schtasks.exe
PID 2752 wrote to memory of 2624	2752	a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe	Client.exe
PID 2752 wrote to memory of 2624	2752	a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe	Client.exe
PID 2752 wrote to memory of 2624	2752	a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe	Client.exe
PID 2624 wrote to memory of 2636	2624	Client.exe	schtasks.exe
PID 2624 wrote to memory of 2636	2624	Client.exe	schtasks.exe
PID 2624 wrote to memory of 2636	2624	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe
"C:\Users\Admin\AppData\Local\Temp\a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2328

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
2.2MB

MD5
5296e7dbcd44917276ae895ac4847670

SHA1
c7415505776a0a740f8c6784a9a4d6355efbd30e

SHA256
397f92ed8e371bef7b8e25983ab3a14f547a60e7aef99949ca6654eec23f06c2

SHA512
7f396ef0fdb607243309dd926b05cd008f292ee0d10de05bccad70cbf4247d242dafdc0e08cbb41afd5b9ed450671b29fb5dc88f1d4dfbb53ce71fc27a6f8bf9

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
2.4MB

MD5
5fa12506f8b5f72e59bfbf12c1739c77

SHA1
1d7a579953ac54d6e8a534e5cbd0b23743c0fdc9

SHA256
ef3fe6ad97140a8d7e2dd5c93da46807776358e955fe7bad999f472470f6d0d1

SHA512
ef7841aa0ed84e0662d7c8ac61d10ff7cfda46542f223a389027b0150e9098ef86bd7e8c666d3ea06ee180b99f7ae1ad249984d0ed92536141bb4f7d9c8c0109

Download Submit
memory/2624-8-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/2624-10-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-11-0x000000001B350000-0x000000001B3D0000-memory.dmp

Filesize
512KB

Download
memory/2624-12-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-13-0x000000001B350000-0x000000001B3D0000-memory.dmp

Filesize
512KB

Download
memory/2752-0-0x0000000000A10000-0x0000000000D34000-memory.dmp

Filesize
3.1MB

Download
memory/2752-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-2-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/2752-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads