quasar | 85af420868f937e1d70898ef30664bb62cf3da9eea467191d407eb1f418a67b7

General

Target

celex.exe
Size

3.1MB
MD5

e97bf71664c901e2dd3b02c158d14cc7
SHA1

75827ff9fefcd7bab397d6a7af15f3093e38d1c6
SHA256

85af420868f937e1d70898ef30664bb62cf3da9eea467191d407eb1f418a67b7
SHA512

532b0dcb2027cafb2a568c692360589d855b8c36bcd22b7dfb92c7b71b437e03dc26a55da0c3d0163b3286b9b63980e30d5ebb4d7e5fa6dd2ed3f1aba5f09476
SSDEEP

49152:PvmI22SsaNYfdPBldt698dBcjHpuxNESENk/iJLoGd51THHB72eh2NT:Pvr22SsaNYfdPBldt6+dBcjHMxgZ

Score

10^/10

quasar skid discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

skid

C2

xxvvsn-26169.portmap.host:26169

Mutex

8226deb0-3b7d-44c1-a400-b0a3ce09f515

Attributes

encryption_key
4D464C4B380567B78AB5A85F3161F2F36BAFBE7A
install_name
clnt.exe
log_directory
Logs
reconnect_delay
3000
startup_key
clnt
subdirectory
clnt

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2500-1-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016d21-6.dat	family_quasar
behavioral1/memory/1932-9-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1932	clnt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2464	schtasks.exe
2172	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2396	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	celex.exe
Token: SeDebugPrivilege	1932	clnt.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1932	clnt.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1932	clnt.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1932	clnt.exe
2396	WINWORD.EXE
2396	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2464	2500	celex.exe	30
PID 2500 wrote to memory of 2464	2500	celex.exe	30
PID 2500 wrote to memory of 2464	2500	celex.exe	30
PID 2500 wrote to memory of 1932	2500	celex.exe	32
PID 2500 wrote to memory of 1932	2500	celex.exe	32
PID 2500 wrote to memory of 1932	2500	celex.exe	32
PID 1932 wrote to memory of 2172	1932	clnt.exe	33
PID 1932 wrote to memory of 2172	1932	clnt.exe	33
PID 1932 wrote to memory of 2172	1932	clnt.exe	33
PID 2396 wrote to memory of 1888	2396	WINWORD.EXE	38
PID 2396 wrote to memory of 1888	2396	WINWORD.EXE	38
PID 2396 wrote to memory of 1888	2396	WINWORD.EXE	38
PID 2396 wrote to memory of 1888	2396	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\celex.exe
"C:\Users\Admin\AppData\Local\Temp\celex.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "clnt" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\clnt\clnt.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2464
- C:\Users\Admin\AppData\Roaming\clnt\clnt.exe
  "C:\Users\Admin\AppData\Roaming\clnt\clnt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "clnt" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\clnt\clnt.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2172

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UninstallRedo.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\clnt\clnt.exe

Filesize
3.1MB

MD5
e97bf71664c901e2dd3b02c158d14cc7

SHA1
75827ff9fefcd7bab397d6a7af15f3093e38d1c6

SHA256
85af420868f937e1d70898ef30664bb62cf3da9eea467191d407eb1f418a67b7

SHA512
532b0dcb2027cafb2a568c692360589d855b8c36bcd22b7dfb92c7b71b437e03dc26a55da0c3d0163b3286b9b63980e30d5ebb4d7e5fa6dd2ed3f1aba5f09476

Download Submit
memory/1932-8-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1932-9-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/1932-11-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1932-12-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-13-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2500-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/2500-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-10-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads