quasar | 6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e

General

Target

6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe
Size

3.2MB
MD5

6f1434bdc116473171a42f081f86d2e5
SHA1

68dc8a913caaddbcd9dd976f478cba38935d1681
SHA256

6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e
SHA512

f7593f9d5033e816eb00eebd987a261b307443cb534763ab73c25ff640454aed06fb8651eb7a3c9a2b6750ed03891590cfa024425f948e2e87cb9950590fd70e
SSDEEP

98304:ahfos5HeMop9TM2EmSgFUMwCY7BtAFBsABH3:cfHHeMop9TM2ceUXN77Ksi3

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
msconfig.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3596-6-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2308	Msconfig.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3796	schtasks.exe
3908	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	vbc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 3596	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	80
PID 2200 wrote to memory of 896	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	81
PID 2200 wrote to memory of 896	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	81
PID 2200 wrote to memory of 896	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	81
PID 2200 wrote to memory of 2036	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	83
PID 2200 wrote to memory of 2036	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	83
PID 2200 wrote to memory of 2036	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	83
PID 2036 wrote to memory of 3796	2036	cmd.exe	85
PID 2036 wrote to memory of 3796	2036	cmd.exe	85
PID 2036 wrote to memory of 3796	2036	cmd.exe	85
PID 2200 wrote to memory of 1044	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	86
PID 2200 wrote to memory of 1044	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	86
PID 2200 wrote to memory of 1044	2200	6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe	86
PID 3596 wrote to memory of 3908	3596	vbc.exe	88
PID 3596 wrote to memory of 3908	3596	vbc.exe	88
PID 3596 wrote to memory of 3908	3596	vbc.exe	88
PID 3596 wrote to memory of 2308	3596	vbc.exe	90
PID 3596 wrote to memory of 2308	3596	vbc.exe	90
PID 3596 wrote to memory of 2308	3596	vbc.exe	90

C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe
"C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "msconfig.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Msconfig.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3908
- - C:\Windows\SysWOW64\SubDir\Msconfig.exe
    "C:\Windows\system32\SubDir\Msconfig.exe"
    3⤵
    - Executes dropped EXE
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\MicrosoftTools"
  2⤵
  PID:896
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\6406cf5b9e7e6cbddf902322bd13c02f01b6a3335fbf53d839e740469ed9fc9e.exe" "C:\Users\Admin\AppData\Roaming\MicrosoftTools\MicrosoftTools.exe"
  2⤵
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SubDir\Msconfig.exe

Filesize
2.5MB

MD5
a731372e6f6978ce25617ae01b143351

SHA1
eab9863a3b7fe5ba2c916a5115c4f13d0984ff89

SHA256
19a3cfbc90e877df30e938fb55785ac3ba8e2e30a54ffbb5af6e0ec9430f9e4b

SHA512
4824c046c2b8370dc290ffbec0c2aa17a4cc22ed2b313e33d72e4aec5d01ab9e6e9676848752d37d95aafa9818f35b233bf70e7a84e0fa0106d22c5f07a38b0d

Download Submit
memory/2200-12-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download
memory/2200-1-0x0000000000290000-0x00000000005C0000-memory.dmp

Filesize
3.2MB

Download
memory/2200-2-0x00000000057F0000-0x0000000005D96000-memory.dmp

Filesize
5.6MB

Download
memory/2200-3-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download
memory/2200-4-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/2200-5-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download
memory/2200-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/3596-6-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3596-9-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/3596-10-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download
memory/3596-8-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/3596-7-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download
memory/3596-18-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads