quasar | e37f5e8a493f127516a17a57e47bb891d665f8a0aed15871c8551c94b38398e4

General

Target

robloxtockenstealer.exe
Size

3.2MB
MD5

e7c12a69820f13031fbc2a3bfe6cff2b
SHA1

8959411ec12367b73ceb4971eb0bed6bf8773a35
SHA256

e37f5e8a493f127516a17a57e47bb891d665f8a0aed15871c8551c94b38398e4
SHA512

25a4a9124d386ece9a3c044d7bc0d03281b901ec8d6f96b840d51f7ec0702da9bf16f07fdda98b0a15409ca604629b3220cbcdc9cff24629eeeb38462282ecde
SSDEEP

98304:DFqg2FttFGwikj7yVEErTRHX0tsEwwjBWOWeYMWmWjn2:DFqgibV7yVDrFHEtsEwwIFM3

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.56.1:4782

Mutex

47f0198a-a3d8-4194-852e-7997def309cf

Attributes

encryption_key
C420C6BA5A73AFC71829A3D6D18F010F1FDAE794
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c91-9.dat	family_quasar
behavioral2/memory/4924-18-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	robloxtockenstealer.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	roblox token stealer.exe
2616	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	robloxtockenstealer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2404	schtasks.exe
1224	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	roblox token stealer.exe
Token: SeDebugPrivilege	2616	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	Client.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4348	864	robloxtockenstealer.exe	83
PID 864 wrote to memory of 4348	864	robloxtockenstealer.exe	83
PID 864 wrote to memory of 4924	864	robloxtockenstealer.exe	98
PID 864 wrote to memory of 4924	864	robloxtockenstealer.exe	98
PID 4924 wrote to memory of 2404	4924	roblox token stealer.exe	103
PID 4924 wrote to memory of 2404	4924	roblox token stealer.exe	103
PID 4924 wrote to memory of 2616	4924	roblox token stealer.exe	105
PID 4924 wrote to memory of 2616	4924	roblox token stealer.exe	105
PID 2616 wrote to memory of 1224	2616	Client.exe	106
PID 2616 wrote to memory of 1224	2616	Client.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\robloxtockenstealer.exe
"C:\Users\Admin\AppData\Local\Temp\robloxtockenstealer.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FUD.vbs"
  2⤵
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\roblox token stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\roblox token stealer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2404
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\FUD.vbs

Filesize
4.2MB

MD5
9cca465069a35bae68cc1b82da88f003

SHA1
027110cc613450604ebaf1dd2cbf8a955b82b6a3

SHA256
93fc739111a31cc09e04d1ebd4fa635dd4e30cdbc5d660c649c53c01d44d9e42

SHA512
17039a9e6fc039215c4310fc485755c074089e06d0ff377ebfd47706da75b9716e59d7a6d793ee87529428eb47bb8e5050b7e0eca0d6ec4195e412137eb48bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\roblox token stealer.exe

Filesize
3.1MB

MD5
84ac4a7dac25c96d418f9dc5e1191f0e

SHA1
bdcb752789e55531baa65a7bfd81ddd86c89514a

SHA256
7ca6aefc5551b2b2ee2576b8042e900e0c6b6479c5225f08a31699c8f086c9be

SHA512
22bd55c247dc9dc5644cabcb31a09e76694d3e144ec23b7b17b4730cd24cfcc6b8d7e389b7d46fde48862dfeff3e237083e67321cd978aa63fac1a87f19c86a8

Download Submit
memory/2616-25-0x000000001B3B0000-0x000000001B400000-memory.dmp

Filesize
320KB

Download
memory/2616-26-0x000000001BBE0000-0x000000001BC92000-memory.dmp

Filesize
712KB

Download
memory/4924-17-0x00007FFC7A5B3000-0x00007FFC7A5B5000-memory.dmp

Filesize
8KB

Download
memory/4924-18-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads