quasar | 900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd

General

Target

svchost.exe
Size

3.1MB
MD5

26959ef393fbd309059d5e43041c4fb6
SHA1

c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42
SHA256

900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd
SHA512

8f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d
SSDEEP

49152:Ov8t62XlaSFNWPjljiFa2RoUYITUZ3larzLoGdOTHHB72eh2NT:OvA62XlaSFNWPjljiFXRoUYIK3G

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

5.tcp.eu.ngrok.io:10972

Mutex

b028487a-6e45-4b66-9e91-3d4903e32b6c

Attributes

encryption_key
91137B461EAD4C8D03DB7ED595191162855E87F2
install_name
DRIVER32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DRIVER32
subdirectory
SYSWOW

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1128-0-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
C:\Windows\System32\SYSWOW\DRIVER32.exe	family_quasar

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

DRIVER32.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation DRIVER32.exe
Executes dropped EXE 1 IoCs

Processes:

DRIVER32.exe

pid process

4888 DRIVER32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

12 5.tcp.eu.ngrok.io

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	DRIVER32.exe

pid	process
4888	DRIVER32.exe

flow	ioc
12	5.tcp.eu.ngrok.io

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\SYSWOW\DRIVER32.exe	svchost.exe
File opened for modification	C:\Windows\system32\SYSWOW\DRIVER32.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2876 schtasks.exe
4656 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1020 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exeDRIVER32.exe

description pid process

Token: SeDebugPrivilege 1128 svchost.exe
Token: SeDebugPrivilege 4888 DRIVER32.exe

pid	process
2876	schtasks.exe
4656	schtasks.exe

pid	process
1020	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1128	svchost.exe
Token: SeDebugPrivilege	4888	DRIVER32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

svchost.exeDRIVER32.execmd.exe

description	pid	process	target process
PID 1128 wrote to memory of 2876	1128	svchost.exe	schtasks.exe
PID 1128 wrote to memory of 2876	1128	svchost.exe	schtasks.exe
PID 1128 wrote to memory of 4888	1128	svchost.exe	DRIVER32.exe
PID 1128 wrote to memory of 4888	1128	svchost.exe	DRIVER32.exe
PID 4888 wrote to memory of 4656	4888	DRIVER32.exe	schtasks.exe
PID 4888 wrote to memory of 4656	4888	DRIVER32.exe	schtasks.exe
PID 4888 wrote to memory of 4040	4888	DRIVER32.exe	schtasks.exe
PID 4888 wrote to memory of 4040	4888	DRIVER32.exe	schtasks.exe
PID 4888 wrote to memory of 3244	4888	DRIVER32.exe	cmd.exe
PID 4888 wrote to memory of 3244	4888	DRIVER32.exe	cmd.exe
PID 3244 wrote to memory of 4820	3244	cmd.exe	chcp.com
PID 3244 wrote to memory of 4820	3244	cmd.exe	chcp.com
PID 3244 wrote to memory of 1020	3244	cmd.exe	PING.EXE
PID 3244 wrote to memory of 1020	3244	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\SYSWOW\DRIVER32.exe
"C:\Windows\system32\SYSWOW\DRIVER32.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "DRIVER32" /sc ONLOGON /tr "C:\Windows\system32\SYSWOW\DRIVER32.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "DRIVER32" /f
3⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICz5gvKxcyKq.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4820

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ICz5gvKxcyKq.bat
Filesize
202B

MD5
1c11a9bd13fd24ae6fce034bd91d172a

SHA1
4114cc384c4530a04e50f1f1181efe085096f7b8

SHA256
d3f0228ea9e99060c77b70433028fb9a6f9b43289cd16401b0e593e982eaeaa7

SHA512
9a3f38a86bc66d4e1d65bf9a9ae6a683725022200f4c079bb8f7a46951bcb041e62e64afc9246440d759b8b585547bb269dda29e90fbb0f01c38c7e1b62a6c2f

Download Submit
C:\Windows\System32\SYSWOW\DRIVER32.exe
Filesize
3.1MB

MD5
26959ef393fbd309059d5e43041c4fb6

SHA1
c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42

SHA256
900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd

SHA512
8f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d

Download Submit
memory/1128-1-0x00007FFD8DBE3000-0x00007FFD8DBE5000-memory.dmp

Filesize
8KB

Download
memory/1128-0-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/4888-10-0x000000001D740000-0x000000001D7F2000-memory.dmp

Filesize
712KB

Download
memory/4888-9-0x000000001B770000-0x000000001B7C0000-memory.dmp

Filesize
320KB

Download
memory/4888-8-0x00007FFD8DBE0000-0x00007FFD8E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-13-0x000000001B7E0000-0x000000001B7F2000-memory.dmp

Filesize
72KB

Download
memory/4888-14-0x000000001D6C0000-0x000000001D6FC000-memory.dmp

Filesize
240KB

Download
memory/4888-15-0x00007FFD8DBE0000-0x00007FFD8E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-16-0x00007FFD8DBE0000-0x00007FFD8E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-21-0x00007FFD8DBE0000-0x00007FFD8E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4888-7-0x00007FFD8DBE0000-0x00007FFD8E6A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads