quasar | c8e42ac2cdd0927bb4278a4cc154e8c768e8e1b0b5d5a02f04f9b9a16e6a7bf1

General

Target

Sp00fer.exe
Size

3.1MB
MD5

ff468df2fde593962c6cdb3bdb4614ce
SHA1

870daa4279fa830d1f555f82ad8ac49789a6e31c
SHA256

c8e42ac2cdd0927bb4278a4cc154e8c768e8e1b0b5d5a02f04f9b9a16e6a7bf1
SHA512

e3ce71ee59b3ff3cd989d73b1c59255135bbdff53d6e50695cb24445a4ba1ad3626623e3f39dc4ece1ebae9b82547555cc726e20c5b093926bf9b459c5c7ce0a
SSDEEP

49152:jvulL26AaNeWgPhlmVqvMQ7XSKDy6Rk0vGYLoG2JquTHHB72eh2NT:jveL26AaNeWgPhlmVqkQ7XSKdk4

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

pringelsy-53072.portmap.host:53072

Mutex

6dc28d35-3024-44a7-a559-f9991015fa39

Attributes

encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
install_name
Client.exe
log_directory
Logs
reconnect_delay
799
startup_key
Quasar Client Startup
subdirectory
Common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1428-1-0x0000000000E80000-0x00000000011A4000-memory.dmp	family_quasar
behavioral2/files/0x000900000002340d-6.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 1 IoCs

pid	Process
4040	Client.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Client.exe	Sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Sp00fer.exe
File opened for modification	C:\Program Files\Common Files	Sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4888	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4092	schtasks.exe
2720	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	Sp00fer.exe
Token: SeDebugPrivilege	4040	Client.exe
Token: SeShutdownPrivilege	4040	Client.exe
Token: SeCreatePagefilePrivilege	4040	Client.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4040	Client.exe
4040	Client.exe
4040	Client.exe
4040	Client.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4040	Client.exe
4040	Client.exe
4040	Client.exe
4040	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4040	Client.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4092	1428	Sp00fer.exe	81
PID 1428 wrote to memory of 4092	1428	Sp00fer.exe	81
PID 1428 wrote to memory of 4040	1428	Sp00fer.exe	83
PID 1428 wrote to memory of 4040	1428	Sp00fer.exe	83
PID 4040 wrote to memory of 2720	4040	Client.exe	84
PID 4040 wrote to memory of 2720	4040	Client.exe	84
PID 4040 wrote to memory of 3484	4040	Client.exe	97
PID 4040 wrote to memory of 3484	4040	Client.exe	97
PID 4040 wrote to memory of 1256	4040	Client.exe	99
PID 4040 wrote to memory of 1256	4040	Client.exe	99
PID 1256 wrote to memory of 3168	1256	cmd.exe	101
PID 1256 wrote to memory of 3168	1256	cmd.exe	101
PID 1256 wrote to memory of 4888	1256	cmd.exe	102
PID 1256 wrote to memory of 4888	1256	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Sp00fer.exe
"C:\Users\Admin\AppData\Local\Temp\Sp00fer.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4092
- C:\Program Files\Common Files\Client.exe
  "C:\Program Files\Common Files\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2720
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "Quasar Client Startup" /f
    3⤵
    PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t5MDnTFXM9tz.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3168
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Client.exe

Filesize
3.1MB

MD5
ff468df2fde593962c6cdb3bdb4614ce

SHA1
870daa4279fa830d1f555f82ad8ac49789a6e31c

SHA256
c8e42ac2cdd0927bb4278a4cc154e8c768e8e1b0b5d5a02f04f9b9a16e6a7bf1

SHA512
e3ce71ee59b3ff3cd989d73b1c59255135bbdff53d6e50695cb24445a4ba1ad3626623e3f39dc4ece1ebae9b82547555cc726e20c5b093926bf9b459c5c7ce0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5MDnTFXM9tz.bat

Filesize
203B

MD5
083a93eaefe861d0a205765c5d4e617a

SHA1
6a4c93e80b42241312986649c1ab791f6a074ac8

SHA256
e8eeacd905f9c4c92a9847f33f39c75782fdd36484f09ae8cedc97ccca626108

SHA512
f8daf1eabae7938f2a94c317fa2338522f1b70e6100bd8d1b4e5d596126f3441bb05c2f1981ed611e40f7be4b6db4fd5cc874ab70d5991f5f6e6c665c75d4e34

Download Submit
memory/1428-0-0x00007FFB52013000-0x00007FFB52015000-memory.dmp

Filesize
8KB

Download
memory/1428-1-0x0000000000E80000-0x00000000011A4000-memory.dmp

Filesize
3.1MB

Download
memory/1428-2-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1428-9-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-11-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-12-0x000000001D510000-0x000000001D560000-memory.dmp

Filesize
320KB

Download
memory/4040-13-0x000000001D620000-0x000000001D6D2000-memory.dmp

Filesize
712KB

Download
memory/4040-14-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-17-0x000000001D5A0000-0x000000001D5B2000-memory.dmp

Filesize
72KB

Download
memory/4040-18-0x000000001E320000-0x000000001E35C000-memory.dmp

Filesize
240KB

Download
memory/4040-10-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-24-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads