quasar | 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e

General

Target

6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe
Size

3.2MB
MD5

6f1434bdc116473171a42f081f86d2e5
SHA1

68dc8a913caaddbcd9dd976f478cba38935d1681
SHA256

6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e
SHA512

f7593f9d5033e816eb00eebd987a261b307443cb534763ab73c25ff640454aed06fb8651eb7a3c9a2b6750ed03891590cfa024425f948e2e87cb9950590fd70e
SSDEEP

98304:ahfos5HeMop9TM2EmSgFUMwCY7BtAFBsABH3:cfHHeMop9TM2ceUXN77Ksi3

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
msconfig.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2400-7-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4344	Msconfig.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3188 set thread context of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2100	schtasks.exe
2032	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	vbc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 2400	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	96
PID 3188 wrote to memory of 4828	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	97
PID 3188 wrote to memory of 4828	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	97
PID 3188 wrote to memory of 4828	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	97
PID 3188 wrote to memory of 712	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	99
PID 3188 wrote to memory of 712	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	99
PID 3188 wrote to memory of 712	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	99
PID 712 wrote to memory of 2100	712	cmd.exe	101
PID 712 wrote to memory of 2100	712	cmd.exe	101
PID 712 wrote to memory of 2100	712	cmd.exe	101
PID 3188 wrote to memory of 5064	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	102
PID 3188 wrote to memory of 5064	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	102
PID 3188 wrote to memory of 5064	3188	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	102
PID 2400 wrote to memory of 2032	2400	vbc.exe	104
PID 2400 wrote to memory of 2032	2400	vbc.exe	104
PID 2400 wrote to memory of 2032	2400	vbc.exe	104
PID 2400 wrote to memory of 4344	2400	vbc.exe	106
PID 2400 wrote to memory of 4344	2400	vbc.exe	106
PID 2400 wrote to memory of 4344	2400	vbc.exe	106

C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe
"C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "msconfig.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Msconfig.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2032
- - C:\Windows\SysWOW64\SubDir\Msconfig.exe
    "C:\Windows\system32\SubDir\Msconfig.exe"
    3⤵
    - Executes dropped EXE
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\MicrosoftTools"
  2⤵
  PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe" "C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe"
  2⤵
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SubDir\Msconfig.exe

Filesize
2.5MB

MD5
0a7608db01cae07792cea95e792aa866

SHA1
71dff876e4d5edb6cea78fee7aa15845d4950e24

SHA256
c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

SHA512
990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

Download Submit
memory/2400-11-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-7-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/2400-8-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-9-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/2400-10-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2400-20-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-2-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/3188-3-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-4-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3188-5-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3188-13-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-1-0x00000000008C0000-0x0000000000BF0000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads