quasar | 900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd

General

Target

svchost.exe
Size

3.1MB
MD5

26959ef393fbd309059d5e43041c4fb6
SHA1

c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42
SHA256

900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd
SHA512

8f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d
SSDEEP

49152:Ov8t62XlaSFNWPjljiFa2RoUYITUZ3larzLoGdOTHHB72eh2NT:OvA62XlaSFNWPjljiFXRoUYIK3G

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

5.tcp.eu.ngrok.io:10972

Mutex

b028487a-6e45-4b66-9e91-3d4903e32b6c

Attributes

encryption_key
91137B461EAD4C8D03DB7ED595191162855E87F2
install_name
DRIVER32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DRIVER32
subdirectory
SYSWOW

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-1-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
C:\Windows\System32\SYSWOW\DRIVER32.exe	family_quasar
behavioral1/memory/2604-8-0x0000000000BD0000-0x0000000000EF4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

DRIVER32.exe

pid process

2604 DRIVER32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 5.tcp.eu.ngrok.io
20 5.tcp.eu.ngrok.io
35 5.tcp.eu.ngrok.io

pid	process
2604	DRIVER32.exe

flow	ioc
2	5.tcp.eu.ngrok.io
20	5.tcp.eu.ngrok.io
35	5.tcp.eu.ngrok.io

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\SYSWOW\DRIVER32.exe	svchost.exe
File opened for modification	C:\Windows\system32\SYSWOW\DRIVER32.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2516 schtasks.exe
2584 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exeDRIVER32.exe

description pid process

Token: SeDebugPrivilege 2168 svchost.exe
Token: SeDebugPrivilege 2604 DRIVER32.exe

pid	process
2516	schtasks.exe
2584	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2168	svchost.exe
Token: SeDebugPrivilege	2604	DRIVER32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

svchost.exeDRIVER32.exe

description	pid	process	target process
PID 2168 wrote to memory of 2516	2168	svchost.exe	schtasks.exe
PID 2168 wrote to memory of 2516	2168	svchost.exe	schtasks.exe
PID 2168 wrote to memory of 2516	2168	svchost.exe	schtasks.exe
PID 2168 wrote to memory of 2604	2168	svchost.exe	DRIVER32.exe
PID 2168 wrote to memory of 2604	2168	svchost.exe	DRIVER32.exe
PID 2168 wrote to memory of 2604	2168	svchost.exe	DRIVER32.exe
PID 2604 wrote to memory of 2584	2604	DRIVER32.exe	schtasks.exe
PID 2604 wrote to memory of 2584	2604	DRIVER32.exe	schtasks.exe
PID 2604 wrote to memory of 2584	2604	DRIVER32.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\SYSWOW\DRIVER32.exe
"C:\Windows\system32\SYSWOW\DRIVER32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SYSWOW\DRIVER32.exe
Filesize
3.1MB

MD5
26959ef393fbd309059d5e43041c4fb6

SHA1
c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42

SHA256
900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd

SHA512
8f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d

Download Submit
memory/2168-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/2168-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-10-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-7-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-8-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

Filesize
3.1MB

Download
memory/2604-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-11-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-12-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads