quasar | 2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e

General

Target

f54598770f770d815c9707dd33518eac.exe
Size

3.1MB
MD5

f54598770f770d815c9707dd33518eac
SHA1

6acf4aaf1d74710ef92c0b99a4b263202fbefcb7
SHA256

2cb1adb73eda0d1c2dc62f7bc312add25cfcc04017d3998e11513c4d02b1150e
SHA512

dc927e84c41121e43f281af15ede1dcce368f1f94e88b56c893a1dfda8aa412547fe5f77d46fcc6a9fc8842b860edf4b3a3c059919b460d0f8611035d9e42d36
SSDEEP

49152:SvyI22SsaNYfdPBldt698dBcjHutbXPEhNvJJaoGdwjTHHB72eh2NT:Svf22SsaNYfdPBldt6+dBcjHZhg

Score

10^/10

quasar office01 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office01

C2

www.exiles.site:14782

Mutex

a0f587a6-d40f-499d-8e9e-b0831e1cb678

Attributes

encryption_key
49BF5A48970D914C7E70F494A8E16B5EFA3AB6A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3456-0-0x0000000000B50000-0x0000000000E74000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4672 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4980 schtasks.exe
4864 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f54598770f770d815c9707dd33518eac.exeClient.exe

description pid process

Token: SeDebugPrivilege 3456 f54598770f770d815c9707dd33518eac.exe
Token: SeDebugPrivilege 4672 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4672 Client.exe

pid	process
4672	Client.exe

pid	process
4980	schtasks.exe
4864	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3456	f54598770f770d815c9707dd33518eac.exe
Token: SeDebugPrivilege	4672	Client.exe

pid	process
4672	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f54598770f770d815c9707dd33518eac.exeClient.exe

description	pid	process	target process
PID 3456 wrote to memory of 4980	3456	f54598770f770d815c9707dd33518eac.exe	schtasks.exe
PID 3456 wrote to memory of 4980	3456	f54598770f770d815c9707dd33518eac.exe	schtasks.exe
PID 3456 wrote to memory of 4672	3456	f54598770f770d815c9707dd33518eac.exe	Client.exe
PID 3456 wrote to memory of 4672	3456	f54598770f770d815c9707dd33518eac.exe	Client.exe
PID 4672 wrote to memory of 4864	4672	Client.exe	schtasks.exe
PID 4672 wrote to memory of 4864	4672	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f54598770f770d815c9707dd33518eac.exe
"C:\Users\Admin\AppData\Local\Temp\f54598770f770d815c9707dd33518eac.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:8
1⤵
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
432KB

MD5
d53a9394e04521e2b85abd33cada55d7

SHA1
f455ba0f476f4037dae6aa0f94c7fa1d8d02bc98

SHA256
3caec5c1133187cb65033f6120a0ede0e3c6085b3d2f224a045e833f48fa6450

SHA512
4567d3e093fd8d67c56ff2472ce4567b72b8ece6ba3e5f967e84cf03b108516ece1cd8eba4b7e41f87b50b229c86f733d60f2539bc2867d005a9d3ef5e194e4c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
768KB

MD5
b2b596f8691536b12f53af6a419e1c25

SHA1
0da741ed403ff81713850ab5a9f386aed4d9bbbe

SHA256
6758af075e83cbcff235c71b724ac3f1fc57bf781f115120fa0ce728525a4d62

SHA512
85834312db0514cef76bdd6a8810b68a8384321d4dea45685f0d3ce15d776a776bb0ed967abc5e792015a2fda8ad4a1781bcfab8ed86953537abf56355414abb

Download Submit
memory/3456-10-0x00007FF812EC0000-0x00007FF813981000-memory.dmp

Filesize
10.8MB

Download
memory/3456-2-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3456-1-0x00007FF812EC0000-0x00007FF813981000-memory.dmp

Filesize
10.8MB

Download
memory/3456-0-0x0000000000B50000-0x0000000000E74000-memory.dmp

Filesize
3.1MB

Download
memory/4672-9-0x00007FF812EC0000-0x00007FF813981000-memory.dmp

Filesize
10.8MB

Download
memory/4672-11-0x000000001BF50000-0x000000001BF60000-memory.dmp

Filesize
64KB

Download
memory/4672-12-0x000000001BEC0000-0x000000001BF10000-memory.dmp

Filesize
320KB

Download
memory/4672-13-0x000000001C710000-0x000000001C7C2000-memory.dmp

Filesize
712KB

Download
memory/4672-16-0x000000001C650000-0x000000001C662000-memory.dmp

Filesize
72KB

Download
memory/4672-17-0x000000001C6B0000-0x000000001C6EC000-memory.dmp

Filesize
240KB

Download
memory/4672-18-0x00007FF812EC0000-0x00007FF813981000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads