quasar | 20e4551dddd4f64d90e97da62dc0befde72128d2b3995e251fb12c734b5c686b

General

Target

Client-built.exe
Size

3.1MB
MD5

c94e39405f4ff6b5e5bcd0f221f7602d
SHA1

1ed42e129448fe9c0e078c292b9638747c82c5d7
SHA256

20e4551dddd4f64d90e97da62dc0befde72128d2b3995e251fb12c734b5c686b
SHA512

19f420aca31adf075dfb32897c6efdbd6aa5d1129ee110bd19411e662bb3c0eff40f44dc639a40d3a2a67eb4a3cfd7ee024589caf9604ad439b08d46745cec94
SSDEEP

49152:WvVuf2NUaNmwzPWlvdaKM7ZxTwEjRJ6EbR3LoGdFBCTHHB72eh2NT:Wvgf2NUaNmwzPWlvdaB7ZxTwEjRJ6O

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

138.0.54.91:4782

192.168.3.5:4782

208.67.222.222:4782

Mutex

63563c99-67f3-4d20-8c7f-230c3d970b36

Attributes

encryption_key
E22572FBAE45F5F894074ED475A27E306499B335
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Link
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4420-1-0x0000000000CA0000-0x0000000000FC4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	Client-built.exe
Token: SeDebugPrivilege	5008	taskmgr.exe
Token: SeSystemProfilePrivilege	5008	taskmgr.exe
Token: SeCreateGlobalPrivilege	5008	taskmgr.exe
Token: 33	5008	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5008	taskmgr.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4420	Client-built.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4420	Client-built.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe
5008	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4420-0-0x00007FFB476E3000-0x00007FFB476E5000-memory.dmp

Filesize
8KB

Download
memory/4420-1-0x0000000000CA0000-0x0000000000FC4000-memory.dmp

Filesize
3.1MB

Download
memory/4420-2-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-3-0x000000001CA30000-0x000000001CA80000-memory.dmp

Filesize
320KB

Download
memory/4420-4-0x000000001CB40000-0x000000001CBF2000-memory.dmp

Filesize
712KB

Download
memory/4420-5-0x00007FFB476E3000-0x00007FFB476E5000-memory.dmp

Filesize
8KB

Download
memory/4420-6-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-7-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-8-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-9-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-13-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-19-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-18-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-17-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-16-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-15-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download
memory/5008-14-0x000002667F940000-0x000002667F941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing