quasar | abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03

General

Target

abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe
Size

15KB
MD5

27275853bd5996fb2f3767772d068d56
SHA1

14fb4c3c74870f14af8c4cd7c8eafa81c99c70c2
SHA256

abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03
SHA512

7e05ec050eaea236c04d74042ac1b2d5634e2be0dd3b8807bada25c38f2f758de9cc25d69fcfd5086b949dc74b97ad2401bce9e6db541153cec60e33024cc887
SSDEEP

384:twpcZrxSdohsUVdko8bxjsCa2txgb6P/sxErmM8/ANWUh:mpSk8VOfb2M669Sct

Score

10^/10

quasar office04 execution spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

31.177.108.29:4782

Mutex

553dcf2c-4c70-4c0c-935a-2e078a46f03e

Attributes

encryption_key
DAFF70D249B4EC619D5A052FDD3418E3549FF268
install_name
KR6nDu9fLhop1bFe.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Defender.Process
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1400-29-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1256 powershell.exe
3188 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

QAIf15b9IkfnfpUg.exeKR6nDu9fLhop1bFe.exeNkmOO6HRmBVoOTt3.exe

pid process

1400 QAIf15b9IkfnfpUg.exe
2932 KR6nDu9fLhop1bFe.exe
904 NkmOO6HRmBVoOTt3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1244 schtasks.exe
1916 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1256 powershell.exe
1256 powershell.exe
3188 powershell.exe
3188 powershell.exe

pid	process
1256	powershell.exe
3188	powershell.exe

pid	process
1400	QAIf15b9IkfnfpUg.exe
2932	KR6nDu9fLhop1bFe.exe
904	NkmOO6HRmBVoOTt3.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

pid	process
1244	schtasks.exe
1916	schtasks.exe

pid	process
1256	powershell.exe
1256	powershell.exe
3188	powershell.exe
3188	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exepowershell.exeQAIf15b9IkfnfpUg.exeKR6nDu9fLhop1bFe.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2452	abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1400	QAIf15b9IkfnfpUg.exe
Token: SeDebugPrivilege	2932	KR6nDu9fLhop1bFe.exe
Token: SeDebugPrivilege	3188	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

KR6nDu9fLhop1bFe.exe

pid process

2932 KR6nDu9fLhop1bFe.exe

pid	process
2932	KR6nDu9fLhop1bFe.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exeQAIf15b9IkfnfpUg.exeKR6nDu9fLhop1bFe.exeNkmOO6HRmBVoOTt3.exe

description	pid	process	target process
PID 2452 wrote to memory of 1256	2452	abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe	powershell.exe
PID 2452 wrote to memory of 1256	2452	abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe	powershell.exe
PID 2452 wrote to memory of 1400	2452	abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe	QAIf15b9IkfnfpUg.exe
PID 2452 wrote to memory of 1400	2452	abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe	QAIf15b9IkfnfpUg.exe
PID 1400 wrote to memory of 1244	1400	QAIf15b9IkfnfpUg.exe	schtasks.exe
PID 1400 wrote to memory of 1244	1400	QAIf15b9IkfnfpUg.exe	schtasks.exe
PID 1400 wrote to memory of 2932	1400	QAIf15b9IkfnfpUg.exe	KR6nDu9fLhop1bFe.exe
PID 1400 wrote to memory of 2932	1400	QAIf15b9IkfnfpUg.exe	KR6nDu9fLhop1bFe.exe
PID 2932 wrote to memory of 1916	2932	KR6nDu9fLhop1bFe.exe	schtasks.exe
PID 2932 wrote to memory of 1916	2932	KR6nDu9fLhop1bFe.exe	schtasks.exe
PID 2452 wrote to memory of 904	2452	abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe	NkmOO6HRmBVoOTt3.exe
PID 2452 wrote to memory of 904	2452	abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe	NkmOO6HRmBVoOTt3.exe
PID 904 wrote to memory of 3188	904	NkmOO6HRmBVoOTt3.exe	powershell.exe
PID 904 wrote to memory of 3188	904	NkmOO6HRmBVoOTt3.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe
"C:\Users\Admin\AppData\Local\Temp\abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SubDir'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Users\Admin\AppData\Roaming\SubDir\QAIf15b9IkfnfpUg.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\QAIf15b9IkfnfpUg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Defender.Process" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1244
- - C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Defender.Process" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\KR6nDu9fLhop1bFe.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1916
- C:\Users\Admin\AppData\Roaming\SubDir\NkmOO6HRmBVoOTt3.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\NkmOO6HRmBVoOTt3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\CreditCardData

Filesize
100KB

MD5
1d4f8d30bb62d71ed5a1e4d4b309cb46

SHA1
9bc422632ca06d33c844eef77cc5d76432c72daf

SHA256
fbc631fd0dc2c24d4afe0a61fe6f454f8d2dc729111c87343b367e4fe5b32eda

SHA512
56b32e3d1182bbfedbd2d58238a779a36e295c84af91016b6fe4e4164cbcba461938b7979fc7186d5e5f33723a4948dd80eca09cec4810b386d07f7cf4dde440

Download Submit
C:\Users\Admin\AppData\Local\Temp\History

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWhP5bww4WugRq8tQ4KJ0Y9HqySDZ4\screen1.png

Filesize
473KB

MD5
e78f28e71d8985ae2d3abccb70459fda

SHA1
8f45511b9470b0d1462e71718be57016ae875204

SHA256
6680dc35ca40ad8998c862d197fe7ecf5406b0d28f2599e181495eab2f442180

SHA512
aec06debb4d3770156019b6edf440ab5bf6acb87202f73ae6d33b2a4e4e8317c39247158700ef9e7b16e1b361a8c3621971d58337fc66031d688df79a9985f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWhP5bww4WugRq8tQ4KJ0Y9HqySDZ4\sensitive-files.zip

Filesize
6.8MB

MD5
359982a19738da8121cd2dbaaac047ff

SHA1
f9fe0a9e59ddde25f5afb697ef4561bbff9c39a0

SHA256
bae4f550a7711cfde7597674abc022bb7e3adec64b2751a6c302b3b839d7c705

SHA512
3313a3815ffebe811d2d43c8597875ed4bef46d3eefbf9a836626ea5b8cab80f1ba1556d5cc5b5390c3a5a4cbfaf3cb587d3de48405a924726bc7da23d2f8664

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWhP5bww4WugRq8tQ4KJ0Y9HqySDZ4\user_info.txt

Filesize
521B

MD5
e6d1af1e3cccdbea3b5a4ca600dd1274

SHA1
2cc4bcad434f5216992b716d3cce637e39846fcd

SHA256
c5f853d327683c665f40a229296e538d3ed6299aede794ffdcc7739a2d6e92aa

SHA512
acb46a73b6126063505ead54b49f69b70478a5b5db15a39d7ef1898a45aedc8236810687e63049e4a0b0f2f4e2226671bff7ad029072f96d111ff880db23c191

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e240ocnn.vfy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1256-4-0x000001EB594E0000-0x000001EB59502000-memory.dmp

Filesize
136KB

Download
memory/1256-12-0x00007FF93BFB0000-0x00007FF93CA72000-memory.dmp

Filesize
10.8MB

Download
memory/1256-13-0x00007FF93BFB0000-0x00007FF93CA72000-memory.dmp

Filesize
10.8MB

Download
memory/1256-16-0x00007FF93BFB0000-0x00007FF93CA72000-memory.dmp

Filesize
10.8MB

Download
memory/1256-17-0x00007FF93BFB0000-0x00007FF93CA72000-memory.dmp

Filesize
10.8MB

Download
memory/1400-29-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/2452-43-0x00007FF93BFB0000-0x00007FF93CA72000-memory.dmp

Filesize
10.8MB

Download
memory/2452-53-0x00007FF93BFB0000-0x00007FF93CA72000-memory.dmp

Filesize
10.8MB

Download
memory/2452-1-0x00007FF93BFB3000-0x00007FF93BFB5000-memory.dmp

Filesize
8KB

Download
memory/2452-32-0x00007FF93BFB3000-0x00007FF93BFB5000-memory.dmp

Filesize
8KB

Download
memory/2452-2-0x00007FF93BFB0000-0x00007FF93CA72000-memory.dmp

Filesize
10.8MB

Download
memory/2452-0-0x000001ED675A0000-0x000001ED675AA000-memory.dmp

Filesize
40KB

Download
memory/2932-41-0x000000001BC90000-0x000000001BCA2000-memory.dmp

Filesize
72KB

Download
memory/2932-42-0x000000001BCF0000-0x000000001BD2C000-memory.dmp

Filesize
240KB

Download
memory/2932-37-0x000000001AEA0000-0x000000001AEF0000-memory.dmp

Filesize
320KB

Download
memory/2932-38-0x000000001BD30000-0x000000001BDE2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads