quasar | 7a20c6e0574d36d2d972450002eff9f226351ef2d594be1f80f33b7502649dd0

General

Target

Client-built.exe
Size

3.1MB
MD5

115b3ecdeb0aaffe00e90d5cc3c51a88
SHA1

24c414a2fe724d6f5310a757c5fa6f97fe61d75b
SHA256

7a20c6e0574d36d2d972450002eff9f226351ef2d594be1f80f33b7502649dd0
SHA512

872fa8e3839c8dd54faf7be7e12f7ae89ac6bed8a7fbe0fd5df8fc66e98f32ed2ed7c4446c406fade7214ccc4cc869c094e1cf0f4dad472c30f0493f165aa6e7
SSDEEP

49152:LvyI22SsaNYfdPBldt698dBcjHgxDEDwNk/JxhoGdsTHHB72eh2NT:Lvf22SsaNYfdPBldt6+dBcjHgxeT

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.88.91.31:4782

Mutex

67eb7beb-85a5-459d-aba7-8e55a1344249

Attributes

encryption_key
18A3C5CC053BEC5C80BD4C5011E5C6BF640A466A
install_name
Chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Notifications
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2908-1-0x0000000000920000-0x0000000000C44000-memory.dmp	family_quasar
behavioral1/files/0x000800000001660d-5.dat	family_quasar
behavioral1/memory/2912-8-0x0000000000AA0000-0x0000000000DC4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2912	Chrome.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Chrome.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Chrome.exe	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
2928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	Client-built.exe
Token: SeDebugPrivilege	2912	Chrome.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2912	Chrome.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2912	Chrome.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2252	2908	Client-built.exe	30
PID 2908 wrote to memory of 2252	2908	Client-built.exe	30
PID 2908 wrote to memory of 2252	2908	Client-built.exe	30
PID 2908 wrote to memory of 2912	2908	Client-built.exe	32
PID 2908 wrote to memory of 2912	2908	Client-built.exe	32
PID 2908 wrote to memory of 2912	2908	Client-built.exe	32
PID 2912 wrote to memory of 2928	2912	Chrome.exe	33
PID 2912 wrote to memory of 2928	2912	Chrome.exe	33
PID 2912 wrote to memory of 2928	2912	Chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Security Notifications" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Chrome.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2252
- C:\Windows\system32\SubDir\Chrome.exe
  "C:\Windows\system32\SubDir\Chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Security Notifications" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\Chrome.exe

Filesize
3.1MB

MD5
115b3ecdeb0aaffe00e90d5cc3c51a88

SHA1
24c414a2fe724d6f5310a757c5fa6f97fe61d75b

SHA256
7a20c6e0574d36d2d972450002eff9f226351ef2d594be1f80f33b7502649dd0

SHA512
872fa8e3839c8dd54faf7be7e12f7ae89ac6bed8a7fbe0fd5df8fc66e98f32ed2ed7c4446c406fade7214ccc4cc869c094e1cf0f4dad472c30f0493f165aa6e7

Download Submit
memory/2908-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x0000000000920000-0x0000000000C44000-memory.dmp

Filesize
3.1MB

Download
memory/2908-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-7-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-9-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-8-0x0000000000AA0000-0x0000000000DC4000-memory.dmp

Filesize
3.1MB

Download
memory/2912-10-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-11-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads