quasar | 8a7cfe4a79b49501f486288fe3c87138305119b04f126a8a9e8408f3d8e3771c

General

Target

e46a4d586b41c48125c7f5f44e5f23e2.exe
Size

3.1MB
MD5

e46a4d586b41c48125c7f5f44e5f23e2
SHA1

b0ea55d5932426e0722167989691f11e08980ee0
SHA256

8a7cfe4a79b49501f486288fe3c87138305119b04f126a8a9e8408f3d8e3771c
SHA512

68c999533b8e3e5f2ede4f1b69838c99530b67f6f3da9ebd3c5641de72bcbfeae0b06e52811c602fbf52a85a4726109e8aab3d97fd1181dce34548106b12978b
SSDEEP

49152:jvpG42pda6D+/PjlLOlg6yQipVy8vE780k/mkEoGdiyTHHB72eh2NT:jvY42pda6D+/PjlLOlZyQipVy8Gv

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.9.33.1:25377

SteveLean-47385.portmap.host:47385

Mutex

603e73f4-1a5c-4a9d-96e3-7ee1f44390dd

Attributes

encryption_key
5C96F3FC23C24141669D950745FC3357502CE24B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2916-1-0x0000000001200000-0x0000000001524000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2996-8-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/memory/2148-23-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/2040-35-0x0000000000CD0000-0x0000000000FF4000-memory.dmp	family_quasar
behavioral1/memory/928-46-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/memory/2944-58-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar

Executes dropped EXE 5 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exe

pid process

2996 Client.exe
2148 Client.exe
2040 Client.exe
928 Client.exe
2944 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2460 PING.EXE
1672 PING.EXE
564 PING.EXE
1484 PING.EXE

pid	process
2996	Client.exe
2148	Client.exe
2040	Client.exe
928	Client.exe
2944	Client.exe

pid	process
2460	PING.EXE
1672	PING.EXE
564	PING.EXE
1484	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e46a4d586b41c48125c7f5f44e5f23e2.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2916	e46a4d586b41c48125c7f5f44e5f23e2.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	2148	Client.exe
Token: SeDebugPrivilege	2040	Client.exe
Token: SeDebugPrivilege	928	Client.exe
Token: SeDebugPrivilege	2944	Client.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exe

pid process

2996 Client.exe
2148 Client.exe
2040 Client.exe
928 Client.exe
2944 Client.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exe

pid process

2996 Client.exe
2148 Client.exe
2040 Client.exe
928 Client.exe
2944 Client.exe

pid	process
2996	Client.exe
2148	Client.exe
2040	Client.exe
928	Client.exe
2944	Client.exe

pid	process
2996	Client.exe
2148	Client.exe
2040	Client.exe
928	Client.exe
2944	Client.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

e46a4d586b41c48125c7f5f44e5f23e2.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2916 wrote to memory of 2996	2916	e46a4d586b41c48125c7f5f44e5f23e2.exe	Client.exe
PID 2916 wrote to memory of 2996	2916	e46a4d586b41c48125c7f5f44e5f23e2.exe	Client.exe
PID 2916 wrote to memory of 2996	2916	e46a4d586b41c48125c7f5f44e5f23e2.exe	Client.exe
PID 2996 wrote to memory of 2504	2996	Client.exe	cmd.exe
PID 2996 wrote to memory of 2504	2996	Client.exe	cmd.exe
PID 2996 wrote to memory of 2504	2996	Client.exe	cmd.exe
PID 2504 wrote to memory of 2440	2504	cmd.exe	chcp.com
PID 2504 wrote to memory of 2440	2504	cmd.exe	chcp.com
PID 2504 wrote to memory of 2440	2504	cmd.exe	chcp.com
PID 2504 wrote to memory of 2460	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2460	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2460	2504	cmd.exe	PING.EXE
PID 2504 wrote to memory of 2148	2504	cmd.exe	Client.exe
PID 2504 wrote to memory of 2148	2504	cmd.exe	Client.exe
PID 2504 wrote to memory of 2148	2504	cmd.exe	Client.exe
PID 2148 wrote to memory of 1600	2148	Client.exe	cmd.exe
PID 2148 wrote to memory of 1600	2148	Client.exe	cmd.exe
PID 2148 wrote to memory of 1600	2148	Client.exe	cmd.exe
PID 1600 wrote to memory of 2280	1600	cmd.exe	chcp.com
PID 1600 wrote to memory of 2280	1600	cmd.exe	chcp.com
PID 1600 wrote to memory of 2280	1600	cmd.exe	chcp.com
PID 1600 wrote to memory of 1672	1600	cmd.exe	PING.EXE
PID 1600 wrote to memory of 1672	1600	cmd.exe	PING.EXE
PID 1600 wrote to memory of 1672	1600	cmd.exe	PING.EXE
PID 1600 wrote to memory of 2040	1600	cmd.exe	Client.exe
PID 1600 wrote to memory of 2040	1600	cmd.exe	Client.exe
PID 1600 wrote to memory of 2040	1600	cmd.exe	Client.exe
PID 2040 wrote to memory of 1748	2040	Client.exe	cmd.exe
PID 2040 wrote to memory of 1748	2040	Client.exe	cmd.exe
PID 2040 wrote to memory of 1748	2040	Client.exe	cmd.exe
PID 1748 wrote to memory of 324	1748	cmd.exe	chcp.com
PID 1748 wrote to memory of 324	1748	cmd.exe	chcp.com
PID 1748 wrote to memory of 324	1748	cmd.exe	chcp.com
PID 1748 wrote to memory of 564	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 564	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 564	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 928	1748	cmd.exe	Client.exe
PID 1748 wrote to memory of 928	1748	cmd.exe	Client.exe
PID 1748 wrote to memory of 928	1748	cmd.exe	Client.exe
PID 928 wrote to memory of 864	928	Client.exe	cmd.exe
PID 928 wrote to memory of 864	928	Client.exe	cmd.exe
PID 928 wrote to memory of 864	928	Client.exe	cmd.exe
PID 864 wrote to memory of 2752	864	cmd.exe	chcp.com
PID 864 wrote to memory of 2752	864	cmd.exe	chcp.com
PID 864 wrote to memory of 2752	864	cmd.exe	chcp.com
PID 864 wrote to memory of 1484	864	cmd.exe	PING.EXE
PID 864 wrote to memory of 1484	864	cmd.exe	PING.EXE
PID 864 wrote to memory of 1484	864	cmd.exe	PING.EXE
PID 864 wrote to memory of 2944	864	cmd.exe	Client.exe
PID 864 wrote to memory of 2944	864	cmd.exe	Client.exe
PID 864 wrote to memory of 2944	864	cmd.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\e46a4d586b41c48125c7f5f44e5f23e2.exe
"C:\Users\Admin\AppData\Local\Temp\e46a4d586b41c48125c7f5f44e5f23e2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TtMLasYbPR4f.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2460

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\l4FxorT7C9F6.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2280

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1672

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUcmYrLiSXWa.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:324

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:564

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FXBX309nLDAm.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1484

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FXBX309nLDAm.bat

Filesize
207B

MD5
1d624822c1c5293996daaa0f48dc3868

SHA1
97e1b5aeb71dcad79254d5a638ed269137493443

SHA256
06938f8e45f0719138a54210cf181da270c0823f1ddb0686036b9082b4bde784

SHA512
722bad4a1fef0ea1cab1363ad5333c8529d8f65d840671ef1c45cb254fd74818ee52622ce8fd4a45509145a32912f68b879a71eadf355babf5bc1c84cee70400

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUcmYrLiSXWa.bat

Filesize
207B

MD5
762ea83cffb890be0a683ad2a615945b

SHA1
a25b081ce7d37778a41e7fe9404325fe39084467

SHA256
4587068a03aa7afad3aa9b22bbba3e7986e2a5a5beecd14021796deb5adde442

SHA512
301f1636439928fe3bd950c9c8b2afb961bdcd923da21de3164eb550891bdf4264db951adb0a8ad56dad8bb03e357665e7aa031c416660bb4bb23b7251c09bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtMLasYbPR4f.bat

Filesize
207B

MD5
13b0a513ddecbde819fc9fa737715132

SHA1
6e4b081affea260ff124e5f9a22fe308b55c0f5f

SHA256
54a2ca00d12e6d2a87b10b91a1eeca122541191fec24bbe90276a89b25194a17

SHA512
bf0ed062235e2065288262cbf94a18d04a3caf5d39f7e330516db9dbdc46f84288a4d462b7428a711a95613cf6961efa9c001535e580f00c15e491618f615445

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4FxorT7C9F6.bat

Filesize
207B

MD5
6406eba064ae91398a38043852c8cb48

SHA1
76ca7a02847edf4ff9866eba2eab9d9b73f660cb

SHA256
9033e1e35bbed30834f3df6e2ce6246b0c15aadf90c70d09c51b7d5bccdc1d69

SHA512
39286672215644719cbed13cd9b5c9cc3bdd67b4d345f4a872ae6ada242c1446bb1b4094fd6936db9f3a1abc383742e1cf872f5a0bca21e3c16924c2b963099d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
e46a4d586b41c48125c7f5f44e5f23e2

SHA1
b0ea55d5932426e0722167989691f11e08980ee0

SHA256
8a7cfe4a79b49501f486288fe3c87138305119b04f126a8a9e8408f3d8e3771c

SHA512
68c999533b8e3e5f2ede4f1b69838c99530b67f6f3da9ebd3c5641de72bcbfeae0b06e52811c602fbf52a85a4726109e8aab3d97fd1181dce34548106b12978b

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/928-46-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/2040-35-0x0000000000CD0000-0x0000000000FF4000-memory.dmp

Filesize
3.1MB

Download
memory/2148-23-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/2916-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/2916-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-7-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-1-0x0000000001200000-0x0000000001524000-memory.dmp

Filesize
3.1MB

Download
memory/2944-58-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2996-8-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/2996-20-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-11-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-10-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-9-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads