quasar | 358d36db4fe4df0ae13317555061a4dc3033254f81f53fe78eb59ed84d3483dd

General

Target

Eggpy.exe
Size

3.3MB
MD5

311933ce408d4d388840c403a42324a8
SHA1

d8087493d05a664639ec0855bb636789be0bae53
SHA256

358d36db4fe4df0ae13317555061a4dc3033254f81f53fe78eb59ed84d3483dd
SHA512

965957a8e15ebd5ced85e827c9888ae69e2be563c0488b64d7c59eccf686330171a475beeae36140c271b06072c5675fe90ff9ef011cba396edd25df3928656b
SSDEEP

49152:ovKgo2QSaNpzyPllgamb0CZof/JaG83ear1LoGdHh7THHB72eh2NT/:ovjo2QSaNpzyPllgamYCZof/JE3VXw

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

AWZ3153-54894.portmap.host:54894

AWZ3153-54894.portmap.host:4782

Mutex

504548b2-3cf4-4efe-90ce-156d3776854c

Attributes

encryption_key
5F9B0D3C7007E834C112F6078ABD8C2684830A3F
install_name
cmdline.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
cmd

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4528-1-0x00000000008F0000-0x0000000000C44000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c9b-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1356	cmdline.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5072	schtasks.exe
428	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1412	WINWORD.EXE
1412	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1356	cmdline.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	Eggpy.exe
Token: SeDebugPrivilege	1356	cmdline.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1356	cmdline.exe
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 428	4528	Eggpy.exe	83
PID 4528 wrote to memory of 428	4528	Eggpy.exe	83
PID 4528 wrote to memory of 1356	4528	Eggpy.exe	85
PID 4528 wrote to memory of 1356	4528	Eggpy.exe	85
PID 1356 wrote to memory of 5072	1356	cmdline.exe	86
PID 1356 wrote to memory of 5072	1356	cmdline.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Eggpy.exe
"C:\Users\Admin\AppData\Local\Temp\Eggpy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:428
- C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe
  "C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5072

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RedoApprove.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD8136.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
330B

MD5
8ee4eae2060465580e40e086053a0d33

SHA1
ab2579e1634c4635dd145f44125574601e11bfc8

SHA256
2c37d2bcdeba3f17b8125ec9cfefbc3a511b04d923963fdf3571655dd2b0b6cb

SHA512
95b3e260a1837a7077f890b735d20b245c15f00e352220a6fad310d616f72d640d441f2ceb40c008236a91c5a37aa526c6fc7a0ef1b5c0e3ac46ff5023fc7cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
79b45af5da70840cd3e984158a9a5bf8

SHA1
2fbdb4bb1a614891426bb7c22efdac91c9278d14

SHA256
6ba56271904bd877658b1ebe0077ad29620a97f4750c05783266d28ea62f81ff

SHA512
0ae59efd6f24e7a7f7f71fa45c1c954fc458844832fbdfadb27facd5ea4ebc71aad8b714091ff7a13b8e75dbc430a6049fd01559f3214492c68cb3bd2fd55378

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of RedoApprove.asd

Filesize
32KB

MD5
75363aceede6de99b7ad3cd086f8daf4

SHA1
027c80174c81f4f5faabd29c24bcd416c490ea1a

SHA256
2feddbd3dd52da264737bcad59ac843cc08ba4fca7aabc2f4282c8ae6dfa9e7d

SHA512
e79fe84aefbc8e08d1805baf6d58504c5239401fce603e939f668d994e904aad4b316b157adce2b3d12ceedfd7e04a07669c9cea8f97cb42b22666dafa0cee66

Download Submit
C:\Users\Admin\AppData\Roaming\cmd\cmdline.exe

Filesize
3.3MB

MD5
311933ce408d4d388840c403a42324a8

SHA1
d8087493d05a664639ec0855bb636789be0bae53

SHA256
358d36db4fe4df0ae13317555061a4dc3033254f81f53fe78eb59ed84d3483dd

SHA512
965957a8e15ebd5ced85e827c9888ae69e2be563c0488b64d7c59eccf686330171a475beeae36140c271b06072c5675fe90ff9ef011cba396edd25df3928656b

Download Submit
memory/1356-19-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/1356-11-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/1356-12-0x0000000003250000-0x00000000032A0000-memory.dmp

Filesize
320KB

Download
memory/1356-13-0x000000001C5C0000-0x000000001C672000-memory.dmp

Filesize
712KB

Download
memory/1356-16-0x000000001BCE0000-0x000000001BCF2000-memory.dmp

Filesize
72KB

Download
memory/1356-17-0x000000001BD40000-0x000000001BD7C000-memory.dmp

Filesize
240KB

Download
memory/1356-18-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/1356-227-0x000000001E050000-0x000000001E578000-memory.dmp

Filesize
5.2MB

Download
memory/1356-9-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/1412-22-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/1412-21-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/1412-23-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/1412-24-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/1412-25-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

Filesize
64KB

Download
memory/1412-26-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

Filesize
64KB

Download
memory/1412-20-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

Filesize
64KB

Download
memory/4528-10-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/4528-2-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/4528-0-0x00007FFF28EB3000-0x00007FFF28EB5000-memory.dmp

Filesize
8KB

Download
memory/4528-1-0x00000000008F0000-0x0000000000C44000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads