quasar | dbb17bdad394245516b31e3e286453bc7e3de9d6788627fd8970dd588f81f063

General

Target

Client-built.exe
Size

3.1MB
MD5

266ea912a1c1d768a3e2268ee212e79b
SHA1

741ab991660b5568ea0108e6b0e0784c67f1fc17
SHA256

dbb17bdad394245516b31e3e286453bc7e3de9d6788627fd8970dd588f81f063
SHA512

755ad73b05ea6a33e6bfbc0da8482030c2a12e86b751dd9bfe80c7afee097074061a9bb7a73b04a646d1fb3a41e2255abb78d2fbed9a79a3fec9cc30eeae7ae2
SSDEEP

49152:mvflL26AaNeWgPhlmVqvMQ7XSKqTRJ6kbR3LoGdImTHHB72eh2NT:mvtL26AaNeWgPhlmVqkQ7XSKqTRJ6u

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.227:4782

Mutex

f3d13830-043f-4b71-9ea6-e9606fbe9c47

Attributes

encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
install_name
defenderx64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Helper
subdirectory
Windows Defender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/728-1-0x00000000004E0000-0x0000000000804000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Defender\defenderx64.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

defenderx64.exe

pid process

1416 defenderx64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4416 schtasks.exe
1208 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exedefenderx64.exe

description pid process

Token: SeDebugPrivilege 728 Client-built.exe
Token: SeDebugPrivilege 1416 defenderx64.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

defenderx64.exe

pid process

1416 defenderx64.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

defenderx64.exe

pid process

1416 defenderx64.exe

pid	process
1416	defenderx64.exe

pid	process
4416	schtasks.exe
1208	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	728	Client-built.exe
Token: SeDebugPrivilege	1416	defenderx64.exe

pid	process
1416	defenderx64.exe

pid	process
1416	defenderx64.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Client-built.exedefenderx64.exe

description	pid	process	target process
PID 728 wrote to memory of 4416	728	Client-built.exe	schtasks.exe
PID 728 wrote to memory of 4416	728	Client-built.exe	schtasks.exe
PID 728 wrote to memory of 1416	728	Client-built.exe	defenderx64.exe
PID 728 wrote to memory of 1416	728	Client-built.exe	defenderx64.exe
PID 1416 wrote to memory of 1208	1416	defenderx64.exe	schtasks.exe
PID 1416 wrote to memory of 1208	1416	defenderx64.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\defenderx64.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4416

C:\Users\Admin\AppData\Roaming\Windows Defender\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender\defenderx64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\defenderx64.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Defender\defenderx64.exe

Filesize
3.1MB

MD5
266ea912a1c1d768a3e2268ee212e79b

SHA1
741ab991660b5568ea0108e6b0e0784c67f1fc17

SHA256
dbb17bdad394245516b31e3e286453bc7e3de9d6788627fd8970dd588f81f063

SHA512
755ad73b05ea6a33e6bfbc0da8482030c2a12e86b751dd9bfe80c7afee097074061a9bb7a73b04a646d1fb3a41e2255abb78d2fbed9a79a3fec9cc30eeae7ae2

Download Submit
memory/728-0-0x00007FFBF7EF3000-0x00007FFBF7EF5000-memory.dmp

Filesize
8KB

Download
memory/728-1-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/728-2-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

Filesize
10.8MB

Download
memory/728-8-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-9-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-10-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-11-0x000000001E2A0000-0x000000001E2F0000-memory.dmp

Filesize
320KB

Download
memory/1416-12-0x000000001E3B0000-0x000000001E462000-memory.dmp

Filesize
712KB

Download
memory/1416-13-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads