quasar | ee1411bf2015e16b221d444007a0b60b8f98f842e110198c3a2fb119b459a3da

General

Target

Client-built.exe
Size

3.1MB
MD5

878ebdf1e55421d4fdb712ba2e427cfe
SHA1

fa6d04743a198c16261a3dbc14f6cd1f0fbc70aa
SHA256

ee1411bf2015e16b221d444007a0b60b8f98f842e110198c3a2fb119b459a3da
SHA512

cc9a4d7d4f411ba5b8836faceb1fae2605c96502f1f5f0b935e2c7a62bfe9641b84b30eba1ed3f12757c5cae244d5870bd153272d6760694f7f101e713f69173
SSDEEP

49152:uvAG42pda6D+/PjlLOlg6yQipVZxOEMkKk/JxnoGd5K5THHB72eh2NT:uvD42pda6D+/PjlLOlZyQipVZxBx

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

http://stable-notably-hound.ngrok-free.app/:443

Mutex

8f9ed790-a4d4-42d4-a715-3c3c28f6d95b

Attributes

encryption_key
A5F0EE2DBE7A3009387617912AFB48C127E2B576
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2888-1-0x00000000004D0000-0x00000000007F4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
976	PING.EXE
3352	PING.EXE
400	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3352	PING.EXE
400	PING.EXE
976	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	Client-built.exe
Token: SeDebugPrivilege	1824	Client-built.exe
Token: SeDebugPrivilege	1944	Client-built.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2888	Client-built.exe
1824	Client-built.exe
1944	Client-built.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2888	Client-built.exe
1824	Client-built.exe
1944	Client-built.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1064	2888	Client-built.exe	85
PID 2888 wrote to memory of 1064	2888	Client-built.exe	85
PID 1064 wrote to memory of 4700	1064	cmd.exe	87
PID 1064 wrote to memory of 4700	1064	cmd.exe	87
PID 1064 wrote to memory of 400	1064	cmd.exe	88
PID 1064 wrote to memory of 400	1064	cmd.exe	88
PID 1064 wrote to memory of 1824	1064	cmd.exe	93
PID 1064 wrote to memory of 1824	1064	cmd.exe	93
PID 1824 wrote to memory of 1460	1824	Client-built.exe	94
PID 1824 wrote to memory of 1460	1824	Client-built.exe	94
PID 1460 wrote to memory of 468	1460	cmd.exe	96
PID 1460 wrote to memory of 468	1460	cmd.exe	96
PID 1460 wrote to memory of 976	1460	cmd.exe	97
PID 1460 wrote to memory of 976	1460	cmd.exe	97
PID 1460 wrote to memory of 1944	1460	cmd.exe	101
PID 1460 wrote to memory of 1944	1460	cmd.exe	101
PID 1944 wrote to memory of 2348	1944	Client-built.exe	102
PID 1944 wrote to memory of 2348	1944	Client-built.exe	102
PID 2348 wrote to memory of 4340	2348	cmd.exe	104
PID 2348 wrote to memory of 4340	2348	cmd.exe	104
PID 2348 wrote to memory of 3352	2348	cmd.exe	105
PID 2348 wrote to memory of 3352	2348	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FFBoYEqeoVIQ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4700
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hq4BOSIZRj5C.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:468
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:976
    - - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fHz7wy5bG72g.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFBoYEqeoVIQ.bat

Filesize
209B

MD5
bba8966c58738bddab2aa02539ad5471

SHA1
2edb3541ffc8c58bf28ce15ead04a3f09d61522c

SHA256
930ec3be89e79151da1db247cbe27acf157d8a3a458bce6b162e4ef3a98d9363

SHA512
33a0fd3d80d7ffd472e32aaa949db2c6a3e7876ca075405d6fe0553586bc9a362272e84c831f54e9202e70d4cca3f240c386a7f091e87ac8cec9569add93f978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hq4BOSIZRj5C.bat

Filesize
209B

MD5
1ed3a824f790aaf11606949f937c7f66

SHA1
0bfd1ea13eb3871ccbc2fe5d19b4c9d2a8ec6e92

SHA256
d71c556b1d9ae9f9d53f46a402b09118629cff988d3fb9d4b7afc8aed0b4882c

SHA512
2ef92198e1c2060ee549dfc35d686afb7135196ed2c1aacd5361bbdf0cbf2434ef011446c5dee59063c1a4e0681201a1a93d988fe30bfcfbb08396b3210c97fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHz7wy5bG72g.bat

Filesize
209B

MD5
22e86921b619011323a6555e34d0c04a

SHA1
a37741f1cf39206e9103d343db1bf8df54c6b156

SHA256
75b53cfca0538d562eeb932c512a559084ddd2cce46ba20a5b1b308373d1e469

SHA512
c34b24d43a17ac0a73935eaca50fc0dce919e4db8eece246b55fdfbfb5fbbd94723ca36ccb4857e7ba17514fa393519d7986e62b4a88556ab7e3eba38b4942c1

Download Submit
memory/1824-13-0x00007FFA365A0000-0x00007FFA37061000-memory.dmp

Filesize
10.8MB

Download
memory/1824-12-0x00007FFA365A0000-0x00007FFA37061000-memory.dmp

Filesize
10.8MB

Download
memory/1824-17-0x00007FFA365A0000-0x00007FFA37061000-memory.dmp

Filesize
10.8MB

Download
memory/2888-9-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2888-4-0x000000001D870000-0x000000001D922000-memory.dmp

Filesize
712KB

Download
memory/2888-3-0x000000001D760000-0x000000001D7B0000-memory.dmp

Filesize
320KB

Download
memory/2888-0-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp

Filesize
8KB

Download
memory/2888-2-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2888-1-0x00000000004D0000-0x00000000007F4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing