quasar | 4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e

General

Target

Encrypted.exe
Size

9.0MB
MD5

78c78748cab54dcf941633f5297c1bf6
SHA1

0c0ee5e0694315bc3813c95d8561056dd8831bee
SHA256

4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e
SHA512

d2212b83a7a4ca4d428cb200f45cc723f6f41485ffd7856f6eeba00f86996f584009e3f2fc5bb0230bfaa96e9c75ac08d3a0c56a07fa94b03b5b220e3e63458f
SSDEEP

49152:/D34Eaz/gdH5o3T8VNZXPkp33BbXh4cpybjPimb+GbZ16xViBGGxxedCCaU0Ddd9:/EsHiAKJxDhpYqemxkDTfgY

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2532-7-0x0000000000900000-0x0000000000C24000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

Processes:

Msconfig.exemsconfig.exeMsconfig.exemsconfig.exe

pid process

4304 Msconfig.exe
1972 msconfig.exe
1944 Msconfig.exe
3192 msconfig.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4304	Msconfig.exe
1972	msconfig.exe
1944	Msconfig.exe
3192	msconfig.exe

Drops file in System32 directory 6 IoCs

Processes:

vbc.exevbc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Encrypted.exemsconfig.exe

description	pid	process	target process
PID 1804 set thread context of 2532	1804	Encrypted.exe	vbc.exe
PID 1972 set thread context of 3920	1972	msconfig.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4396 schtasks.exe
4532 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 2532 vbc.exe
Token: SeDebugPrivilege 3920 vbc.exe

pid	process
4396	schtasks.exe
4532	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2532	vbc.exe
Token: SeDebugPrivilege	3920	vbc.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

Encrypted.execmd.exevbc.exemsconfig.execmd.exevbc.exe

description	pid	process	target process
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2532	1804	Encrypted.exe	vbc.exe
PID 1804 wrote to memory of 2276	1804	Encrypted.exe	cmd.exe
PID 1804 wrote to memory of 2276	1804	Encrypted.exe	cmd.exe
PID 1804 wrote to memory of 2276	1804	Encrypted.exe	cmd.exe
PID 1804 wrote to memory of 3440	1804	Encrypted.exe	cmd.exe
PID 1804 wrote to memory of 3440	1804	Encrypted.exe	cmd.exe
PID 1804 wrote to memory of 3440	1804	Encrypted.exe	cmd.exe
PID 3440 wrote to memory of 4396	3440	cmd.exe	schtasks.exe
PID 3440 wrote to memory of 4396	3440	cmd.exe	schtasks.exe
PID 3440 wrote to memory of 4396	3440	cmd.exe	schtasks.exe
PID 1804 wrote to memory of 4648	1804	Encrypted.exe	cmd.exe
PID 1804 wrote to memory of 4648	1804	Encrypted.exe	cmd.exe
PID 1804 wrote to memory of 4648	1804	Encrypted.exe	cmd.exe
PID 2532 wrote to memory of 4304	2532	vbc.exe	Msconfig.exe
PID 2532 wrote to memory of 4304	2532	vbc.exe	Msconfig.exe
PID 2532 wrote to memory of 4304	2532	vbc.exe	Msconfig.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 3920	1972	msconfig.exe	vbc.exe
PID 1972 wrote to memory of 4984	1972	msconfig.exe	cmd.exe
PID 1972 wrote to memory of 4984	1972	msconfig.exe	cmd.exe
PID 1972 wrote to memory of 4984	1972	msconfig.exe	cmd.exe
PID 1972 wrote to memory of 2768	1972	msconfig.exe	cmd.exe
PID 1972 wrote to memory of 2768	1972	msconfig.exe	cmd.exe
PID 1972 wrote to memory of 2768	1972	msconfig.exe	cmd.exe
PID 2768 wrote to memory of 4532	2768	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 4532	2768	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 4532	2768	cmd.exe	schtasks.exe
PID 1972 wrote to memory of 1072	1972	msconfig.exe	cmd.exe
PID 1972 wrote to memory of 1072	1972	msconfig.exe	cmd.exe
PID 1972 wrote to memory of 1072	1972	msconfig.exe	cmd.exe
PID 3920 wrote to memory of 1944	3920	vbc.exe	Msconfig.exe
PID 3920 wrote to memory of 1944	3920	vbc.exe	Msconfig.exe
PID 3920 wrote to memory of 1944	3920	vbc.exe	Msconfig.exe

C:\Users\Admin\AppData\Local\Temp\Encrypted.exe
"C:\Users\Admin\AppData\Local\Temp\Encrypted.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\SubDir\Msconfig.exe
"C:\Windows\system32\SubDir\Msconfig.exe"
3⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Encrypted.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
2⤵
PID:4648

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\SubDir\Msconfig.exe
"C:\Windows\system32\SubDir\Msconfig.exe"
3⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
2⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
2⤵
PID:1072

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
PID:3192

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msconfig.exe.log
Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
Filesize
9.0MB

MD5
78c78748cab54dcf941633f5297c1bf6

SHA1
0c0ee5e0694315bc3813c95d8561056dd8831bee

SHA256
4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e

SHA512
d2212b83a7a4ca4d428cb200f45cc723f6f41485ffd7856f6eeba00f86996f584009e3f2fc5bb0230bfaa96e9c75ac08d3a0c56a07fa94b03b5b220e3e63458f

Download Submit
C:\Windows\SysWOW64\SubDir\Msconfig.exe
Filesize
2.5MB

MD5
0a7608db01cae07792cea95e792aa866

SHA1
71dff876e4d5edb6cea78fee7aa15845d4950e24

SHA256
c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

SHA512
990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

Download Submit
memory/1804-14-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1804-1-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1804-2-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/1804-3-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/1804-4-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1804-0-0x0000000000CC0000-0x0000000000FEC000-memory.dmp

Filesize
3.2MB

Download
memory/2532-9-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2532-13-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/2532-21-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2532-8-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/2532-7-0x0000000000900000-0x0000000000C24000-memory.dmp

Filesize
3.1MB

Download
memory/2532-6-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads