quasar | ce179bf67e184c300fbc5b796ef511c14470a9d3c970298bc8e52beaf7fb1195

General

Target

BITCOIN GEN PRIVATE.zip
Size

1.2MB
MD5

2e0fc78070cbd8de4396acfe491986ac
SHA1

f6bf2b612f83f90483d12792696f9529840ad3ac
SHA256

ce179bf67e184c300fbc5b796ef511c14470a9d3c970298bc8e52beaf7fb1195
SHA512

dfcb0391f27912eb0bef5ba9dcfcfaff38f9a6886ffbd23e2ca70ec66a203050fbbe22544894936653cf99bc2c86948692b0e43e87377a5088c59a079167b814
SSDEEP

24576:2pXWKEEizZPwD9NzHNTjInXCzJ9tgNODSY/X/ifKsxA42DUSL6/:2lW12zFISWisxA42Yw6/

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.56.1:4782

Mutex

275f2628-c225-4b94-8c3e-6fb61e5e53af

Attributes

encryption_key
F72BC567B8A2606D9029D70BA29A969A6DEB42D8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ab5f-5.dat	family_quasar
behavioral1/memory/2904-7-0x00000000006E0000-0x0000000000A04000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2904	Bitcoingens.pdf.exe
816	Client.exe
1872	Bitcoingens.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3808	schtasks.exe
1468	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4788	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4788	7zFM.exe
Token: 35	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe
Token: SeDebugPrivilege	2904	Bitcoingens.pdf.exe
Token: SeDebugPrivilege	816	Client.exe
Token: SeDebugPrivilege	1872	Bitcoingens.pdf.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4788	7zFM.exe
4788	7zFM.exe
4788	7zFM.exe
816	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
816	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
816	Client.exe
3744	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3808	2904	Bitcoingens.pdf.exe	82
PID 2904 wrote to memory of 3808	2904	Bitcoingens.pdf.exe	82
PID 2904 wrote to memory of 816	2904	Bitcoingens.pdf.exe	84
PID 2904 wrote to memory of 816	2904	Bitcoingens.pdf.exe	84
PID 816 wrote to memory of 1468	816	Client.exe	85
PID 816 wrote to memory of 1468	816	Client.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BITCOIN GEN PRIVATE.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3516

C:\Users\Admin\Desktop\BITCOIN GEN PRIVATE\Bitcoingens.pdf.exe
"C:\Users\Admin\Desktop\BITCOIN GEN PRIVATE\Bitcoingens.pdf.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3808
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1468

C:\Users\Admin\Desktop\BITCOIN GEN PRIVATE\Bitcoingens.pdf.exe
"C:\Users\Admin\Desktop\BITCOIN GEN PRIVATE\Bitcoingens.pdf.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1196

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2900

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bitcoingens.pdf.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\73535340-e66a-40a4-91a3-3efbfe49277c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
96329c73cc49cd960e2485210d01c4d2

SHA1
a496b98ad2f2bbf26687b5b7794a26aa4470148e

SHA256
4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

SHA512
e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

Download Submit
C:\Users\Admin\Desktop\BITCOIN GEN PRIVATE\Bitcoingens.pdf.exe

Filesize
3.1MB

MD5
571474cb077262465a4ff6747023b90b

SHA1
be44641489168160ed22ab2b57658a94394441b6

SHA256
2ba889c691dea990e030ef2707a242017df0f094d8d1eadb37343e82f6417e3f

SHA512
e34117b3c5567843019f84d3b8b849404f4463f67188ed26241839c91e91275c4f916a7bde5dcaaeb0fa625e7bbaf682d60a91ec28d01deaafac3e7afb39ee15

Download Submit
memory/816-15-0x000000001C680000-0x000000001C6D0000-memory.dmp

Filesize
320KB

Download
memory/816-16-0x000000001C790000-0x000000001C842000-memory.dmp

Filesize
712KB

Download
memory/816-17-0x000000001CE80000-0x000000001D3A8000-memory.dmp

Filesize
5.2MB

Download
memory/2904-6-0x00007FFBE15F3000-0x00007FFBE15F5000-memory.dmp

Filesize
8KB

Download
memory/2904-7-0x00000000006E0000-0x0000000000A04000-memory.dmp

Filesize
3.1MB

Download
memory/2904-8-0x00007FFBE15F0000-0x00007FFBE20B2000-memory.dmp

Filesize
10.8MB

Download
memory/2904-14-0x00007FFBE15F0000-0x00007FFBE20B2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads