quasar | a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e

General

Target

Lo último.exe
Size

3.1MB
MD5

afb2e5dad453db7cf42339f806f37532
SHA1

90fa9e8b4ed9d086d67b9f86dc57151db1637ca9
SHA256

a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e
SHA512

72c3474f11a90bd904957030d019611c460dfa66524e0113b40b18a4ae0f3d81d56ae125fa2f247b266e71a11fcaad5884987036563e9464dc2e973877f79f3f
SSDEEP

49152:Hv+lL26AaNeWgPhlmVqvMQ7XSKwkamEoXdl3THHB72eh2NT:HvuL26AaNeWgPhlmVqkQ7XSK9af8

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Ingrid78-20703.portmap.host:20703

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2788-1-0x0000000000520000-0x0000000000844000-memory.dmp	family_quasar
behavioral1/files/0x00280000000450df-3.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3968	Client.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
3380	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
240	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	Lo último.exe
Token: SeDebugPrivilege	3968	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3968	Client.exe
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE
240	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2928	2788	Lo último.exe	83
PID 2788 wrote to memory of 2928	2788	Lo último.exe	83
PID 2788 wrote to memory of 3968	2788	Lo último.exe	85
PID 2788 wrote to memory of 3968	2788	Lo último.exe	85
PID 3968 wrote to memory of 3380	3968	Client.exe	86
PID 3968 wrote to memory of 3380	3968	Client.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Lo último.exe
"C:\Users\Admin\AppData\Local\Temp\Lo último.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2928
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3380

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\CheckpointSet.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
395B

MD5
899d2c8aa0f4a35207264b6b5377f622

SHA1
e53fc05bab56d00cfc7f281167c6afbcd73ef185

SHA256
4e48bf82609656a9d88f8667a4c6fd8805c2cd618384d7c7f33a4cdf8e9c49d3

SHA512
fa2a5b388bdff54bd83c020e907f61ba9be5cc562d8e6efcca568825eaf803899c402bea61c588352aeb2110a6a6e378ad41cd527bf5e9898554377105523a66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
5b3b04499ea75f3b0888968ecd651d8c

SHA1
c82cabd8c55cc23287730382dc88970a07b41343

SHA256
335335fa8834ab1e823e175b37c1acd8d110ad9d45cf6bb81beff1551e15b95f

SHA512
6ff5415c6a0ffe4e77898cb99583f5fcf1f30a5c61ae341343d59020b79887a7d734804bbbecf3e015c453595080f9a25f7079aed1447dcdac1d27630cd3e60d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
2d385cbe43dd508a621b118968655bac

SHA1
5fa242ba0b17f6e92ee6dcb61f891d2571030906

SHA256
94ddb0f7c9005b200bc9438b476553755deced77dd5ce80a6fcdfd0ee9f8e7bf

SHA512
23fc7bc4b8a1b462c0370759e34bc9007b0f9a38f341d6a322d7bb4bf7c3709ea1606188324bad40ca30e62c410d2bf4dd4da6b6dbbd2c698bc5c8d1ad736f79

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
afb2e5dad453db7cf42339f806f37532

SHA1
90fa9e8b4ed9d086d67b9f86dc57151db1637ca9

SHA256
a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e

SHA512
72c3474f11a90bd904957030d019611c460dfa66524e0113b40b18a4ae0f3d81d56ae125fa2f247b266e71a11fcaad5884987036563e9464dc2e973877f79f3f

Download Submit
memory/240-17-0x00007FFF89D70000-0x00007FFF89D80000-memory.dmp

Filesize
64KB

Download
memory/240-22-0x00007FFF87D00000-0x00007FFF87D10000-memory.dmp

Filesize
64KB

Download
memory/240-21-0x00007FFF87D00000-0x00007FFF87D10000-memory.dmp

Filesize
64KB

Download
memory/240-20-0x00007FFF89D70000-0x00007FFF89D80000-memory.dmp

Filesize
64KB

Download
memory/240-19-0x00007FFF89D70000-0x00007FFF89D80000-memory.dmp

Filesize
64KB

Download
memory/240-16-0x00007FFF89D70000-0x00007FFF89D80000-memory.dmp

Filesize
64KB

Download
memory/240-18-0x00007FFF89D70000-0x00007FFF89D80000-memory.dmp

Filesize
64KB

Download
memory/2788-6-0x00007FFFAB710000-0x00007FFFAC1D2000-memory.dmp

Filesize
10.8MB

Download
memory/2788-0-0x00007FFFAB713000-0x00007FFFAB715000-memory.dmp

Filesize
8KB

Download
memory/2788-2-0x00007FFFAB710000-0x00007FFFAC1D2000-memory.dmp

Filesize
10.8MB

Download
memory/2788-1-0x0000000000520000-0x0000000000844000-memory.dmp

Filesize
3.1MB

Download
memory/3968-5-0x00007FFFAB710000-0x00007FFFAC1D2000-memory.dmp

Filesize
10.8MB

Download
memory/3968-15-0x00007FFFAB710000-0x00007FFFAC1D2000-memory.dmp

Filesize
10.8MB

Download
memory/3968-14-0x00007FFFAB710000-0x00007FFFAC1D2000-memory.dmp

Filesize
10.8MB

Download
memory/3968-13-0x000000001CC60000-0x000000001CC9C000-memory.dmp

Filesize
240KB

Download
memory/3968-12-0x000000001C0E0000-0x000000001C0F2000-memory.dmp

Filesize
72KB

Download
memory/3968-9-0x000000001C160000-0x000000001C212000-memory.dmp

Filesize
712KB

Download
memory/3968-8-0x000000001C050000-0x000000001C0A0000-memory.dmp

Filesize
320KB

Download
memory/3968-7-0x00007FFFAB710000-0x00007FFFAC1D2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads