quasar | 151e2900f743156d22c24cd82f3ea1b8027d2e4d5f13fb2588113fa5e02b81e5

General

Target

Client-built.exe
Size

3.3MB
MD5

73391479ada904ff9341ad5dd398d7d5
SHA1

a70fc4abda717d3e6847d888eb35a8de925a54c7
SHA256

151e2900f743156d22c24cd82f3ea1b8027d2e4d5f13fb2588113fa5e02b81e5
SHA512

b15add9e1b09307c14014f1f8702bd0e5a47c7537fd480f8587d319e42718e791a68ff47fceae2a6a2083de9b92d590c5742000c07f0716cdf50e8b34ff9ac06
SSDEEP

49152:hvflL26AaNeWgPhlmVqvMQ7XSK4cGkBewXojda5qTHHB72eh2NTG:hvtL26AaNeWgPhlmVqkQ7XSKvGM

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.200.148.155:6060

Mutex

4b3820e0-d123-49d9-b51e-3c4daa4f6874

Attributes

encryption_key
F8879E9B26846C57C99B6F152F74703E1CC15B8B
install_name
SecurityHealthSystray.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SecurityHealthSystray.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/3032-1-0x0000000000CE0000-0x0000000001032000-memory.dmp	family_quasar
behavioral1/files/0x000800000001945c-6.dat	family_quasar
behavioral1/memory/2976-8-0x00000000001C0000-0x0000000000512000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2976	SecurityHealthSystray.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\SecurityHealthSystray.exe	SecurityHealthSystray.exe
File opened for modification	C:\Windows\system32\SubDir	SecurityHealthSystray.exe
File created	C:\Windows\system32\SubDir\SecurityHealthSystray.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\SecurityHealthSystray.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe
2152	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	Client-built.exe
Token: SeDebugPrivilege	2976	SecurityHealthSystray.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	SecurityHealthSystray.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2976	SecurityHealthSystray.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2176	3032	Client-built.exe	30
PID 3032 wrote to memory of 2176	3032	Client-built.exe	30
PID 3032 wrote to memory of 2176	3032	Client-built.exe	30
PID 3032 wrote to memory of 2976	3032	Client-built.exe	32
PID 3032 wrote to memory of 2976	3032	Client-built.exe	32
PID 3032 wrote to memory of 2976	3032	Client-built.exe	32
PID 2976 wrote to memory of 2152	2976	SecurityHealthSystray.exe	33
PID 2976 wrote to memory of 2152	2976	SecurityHealthSystray.exe	33
PID 2976 wrote to memory of 2152	2976	SecurityHealthSystray.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "SecurityHealthSystray.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SecurityHealthSystray.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2176
- C:\Windows\system32\SubDir\SecurityHealthSystray.exe
  "C:\Windows\system32\SubDir\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "SecurityHealthSystray.exe" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SecurityHealthSystray.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\SecurityHealthSystray.exe

Filesize
3.3MB

MD5
73391479ada904ff9341ad5dd398d7d5

SHA1
a70fc4abda717d3e6847d888eb35a8de925a54c7

SHA256
151e2900f743156d22c24cd82f3ea1b8027d2e4d5f13fb2588113fa5e02b81e5

SHA512
b15add9e1b09307c14014f1f8702bd0e5a47c7537fd480f8587d319e42718e791a68ff47fceae2a6a2083de9b92d590c5742000c07f0716cdf50e8b34ff9ac06

Download Submit
memory/2976-8-0x00000000001C0000-0x0000000000512000-memory.dmp

Filesize
3.3MB

Download
memory/2976-11-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-9-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-12-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x0000000000CE0000-0x0000000001032000-memory.dmp

Filesize
3.3MB

Download
memory/3032-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-10-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads