quasar | d90addee4f27e9c4ecee68ef64f57a731884d0b0da84dfc3049e3ab930a09673

General

Target

blud.exe
Size

3.1MB
MD5

55306c52f9ed7365e9938c40af08496e
SHA1

cc914160a9f4a5496654c0486d66e0943c052d7b
SHA256

d90addee4f27e9c4ecee68ef64f57a731884d0b0da84dfc3049e3ab930a09673
SHA512

6744dcd73ec7fbd9d34ea406f6d86092eae06ad9c13b32e5eb79b2c61436c62177e3dc5adacdf2ab96ffbf6be3a0d6b9ff67437eafc054c72b55f4c61a60dc13
SSDEEP

49152:eb48V3wLBdGPpeKdWn96t19Lz4OPByg4W7N5chyiY5Od7lK:eb48V3odG8qmY76OPBN4WrcEfi0

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

authapi-41985.portmap.host:41985

Mutex

50fd280e-bda2-413a-9ebd-86236f4b0beb

Attributes

encryption_key
E429F24E279E8B25742D0F5347151B0F90D031CA
install_name
system.exe
log_directory
Logs
reconnect_delay
3000
startup_key
system
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000a000000014a94-2.dat	family_quasar
behavioral1/memory/3016-13-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015c23-27.dat	family_quasar
behavioral1/files/0x0009000000015c23-26.dat	family_quasar
behavioral1/memory/2376-30-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
3016	fnup.exe
2376	system.exe

Loads dropped DLL 1 IoCs

pid	Process
1056	blud.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\system.exe	fnup.exe
File opened for modification	C:\Windows\system32\SubDir\system.exe	fnup.exe
File opened for modification	C:\Windows\system32\SubDir	fnup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2392	schtasks.exe
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	powershell.exe
2220	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	3016	fnup.exe
Token: SeDebugPrivilege	2376	system.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	system.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2376	system.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	system.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2220	1056	blud.exe	28
PID 1056 wrote to memory of 2220	1056	blud.exe	28
PID 1056 wrote to memory of 2220	1056	blud.exe	28
PID 1056 wrote to memory of 2220	1056	blud.exe	28
PID 1056 wrote to memory of 2816	1056	blud.exe	30
PID 1056 wrote to memory of 2816	1056	blud.exe	30
PID 1056 wrote to memory of 2816	1056	blud.exe	30
PID 1056 wrote to memory of 2816	1056	blud.exe	30
PID 1056 wrote to memory of 3016	1056	blud.exe	32
PID 1056 wrote to memory of 3016	1056	blud.exe	32
PID 1056 wrote to memory of 3016	1056	blud.exe	32
PID 1056 wrote to memory of 3016	1056	blud.exe	32
PID 3016 wrote to memory of 2392	3016	fnup.exe	33
PID 3016 wrote to memory of 2392	3016	fnup.exe	33
PID 3016 wrote to memory of 2392	3016	fnup.exe	33
PID 3016 wrote to memory of 2376	3016	fnup.exe	35
PID 3016 wrote to memory of 2376	3016	fnup.exe	35
PID 3016 wrote to memory of 2376	3016	fnup.exe	35
PID 2376 wrote to memory of 2784	2376	system.exe	36
PID 2376 wrote to memory of 2784	2376	system.exe	36
PID 2376 wrote to memory of 2784	2376	system.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\blud.exe
"C:\Users\Admin\AppData\Local\Temp\blud.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcQB4ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAagBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwB5AHMAdABlAG0AIABkAG8AdwBuACAAYwBvAG4AdABhAGMAdAAgAG8AdwBuAGUAcgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAcQB5AGIAIwA+AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAdgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAegB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAaAB2ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\fnup.exe
  "C:\Users\Admin\AppData\Local\Temp\fnup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Windows\system32\SubDir\system.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2392
- - C:\Windows\system32\SubDir\system.exe
    "C:\Windows\system32\SubDir\system.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Windows\system32\SubDir\system.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d5d0f31f9de528e90a34843b7296b3b5

SHA1
478ec0857c2bc3175e72c6bd4609c233acc24404

SHA256
3e786c4b9f51411754de21e78ae5c0d03c34fb7663d3366446aeb8276127669d

SHA512
e91cda3adb4d8b3d7bfeb7ac736669cf9adba8badf027589614dc7cb54aa7a5e8e18cb64d41236303923fac6cc7340d029a906fadd26c53a6bc26428203c8c3a

Download Submit
C:\Windows\System32\SubDir\system.exe

Filesize
2.6MB

MD5
9df048e0f7ca0818342606550b7fa7f4

SHA1
bc0745a74d6575f7daf143a190bf24a632af0fce

SHA256
c5ab9686575fc4be02ea065cab10c990f11541ebc13bd126e39b70f0dd512d3a

SHA512
06c63d7b585a4fe864ca27d8dffbd92137c99fed8c4a5e02465166d76d14432d69fbe24273357eec8d69a1dfbfe6fc7d2da6334b6674f9b73660915c3ab7de77

Download Submit
C:\Windows\system32\SubDir\system.exe

Filesize
1.8MB

MD5
26eded37ad045f0dab2698caf8cf5644

SHA1
bc851d2f02cd892b90cbc36b998b27be8da36f77

SHA256
cbc0e3cad8b275ec0291a4cae52d64c34edbbbb7d1ca1d697ce96ff5f5f2314c

SHA512
b586e1a37d51e85d15023daf3bbcbb63ad00e673273bc6ac9a596a0536862ea7f2ec01c8c8293de3d520049157b0d11f1d5b067f537f249b74482e9d06be1fa0

Download Submit
\Users\Admin\AppData\Local\Temp\fnup.exe

Filesize
3.1MB

MD5
3adf9bf2374b11c73a926621097f6791

SHA1
a9b9b42bb8f0cf7aad8551c05fb0176aba11d28d

SHA256
df86cb5e5dad3dba276558cf1c44869f5315e9232aabb5cc4a3d48c1734f32fb

SHA512
47da60a7653b3c1f8fa39cd65fc95b1796055f67d89027eecb36e1ca3fcd236efc891bc870eeb93269f7a270bed9dcd9ebb4ea7ac5654995503454a498873aab

Download Submit
memory/2220-33-0x00000000730C0000-0x000000007366B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-17-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2220-19-0x00000000730C0000-0x000000007366B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-20-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2376-32-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/2376-30-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/2376-29-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2816-16-0x0000000002230000-0x0000000002270000-memory.dmp

Filesize
256KB

Download
memory/2816-23-0x00000000730C0000-0x000000007366B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-21-0x0000000002230000-0x0000000002270000-memory.dmp

Filesize
256KB

Download
memory/2816-18-0x00000000730C0000-0x000000007366B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-15-0x00000000730C0000-0x000000007366B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-22-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/3016-14-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-31-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-13-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads