quasar | f8e5cfd63bc1fafc14772f29cfba051516776ce36ea054dcff65f46146b2a3b1

General

Target

Client-built.exe
Size

3.1MB
MD5

786abdcb703d20e3de3bf5a379d81a14
SHA1

8e14e12df03ed017e2dd98fe1b00d4869ceacac4
SHA256

f8e5cfd63bc1fafc14772f29cfba051516776ce36ea054dcff65f46146b2a3b1
SHA512

28886a95fde73cc6bbf4252374a50979f893ba12d9ac92f95a40c46d5a9ef85dde436bf89a09eb84a7380d799b8ff59e50de7fd192ff17e4d7884d973fa39fe9
SSDEEP

49152:rvht62XlaSFNWPjljiFa2RoUYIYNi3Rar7loGdAxALTHHB72eh2NT:rvL62XlaSFNWPjljiFXRoUYIL3sH

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.46:4782

Mutex

5beee952-b6db-411d-a01f-ad2f22709cbe

Attributes

encryption_key
588523317381A841ECE4E6415CCED796AA0FA544
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3484-1-0x0000000000CF0000-0x0000000001014000-memory.dmp	family_quasar
behavioral1/files/0x000a000000023c8c-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
5072	Client.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	mspaint.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
316	schtasks.exe
2940	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3708	vlc.exe
4556	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	mspaint.exe
2080	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3708	vlc.exe
4556	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	Client-built.exe
Token: SeDebugPrivilege	5072	Client.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
5072	Client.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
5072	Client.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
3708	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe
4556	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3708	vlc.exe
4556	vlc.exe
2080	mspaint.exe
4312	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 316	3484	Client-built.exe	83
PID 3484 wrote to memory of 316	3484	Client-built.exe	83
PID 3484 wrote to memory of 5072	3484	Client-built.exe	85
PID 3484 wrote to memory of 5072	3484	Client-built.exe	85
PID 5072 wrote to memory of 2940	5072	Client.exe	86
PID 5072 wrote to memory of 2940	5072	Client.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:316
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2940

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnlockMeasure.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnlockMeasure.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ApproveBackup.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
786abdcb703d20e3de3bf5a379d81a14

SHA1
8e14e12df03ed017e2dd98fe1b00d4869ceacac4

SHA256
f8e5cfd63bc1fafc14772f29cfba051516776ce36ea054dcff65f46146b2a3b1

SHA512
28886a95fde73cc6bbf4252374a50979f893ba12d9ac92f95a40c46d5a9ef85dde436bf89a09eb84a7380d799b8ff59e50de7fd192ff17e4d7884d973fa39fe9

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
c0cd6fec5b5bc4e54b2435e4434f89a8

SHA1
30995caf90b62fd64d7eed4652f61fc8481f6267

SHA256
7ec5ecdbbb8d7b121016fd8f3293c006c44af96ead437c7820be8753e7253a90

SHA512
e6e86ed90cfc0e1ac12590d47f7e5060092ea7f02ea219fdfd80530296bf32454f4bd54b0b8f37b041f84b1239444987d9314fe7c5865b6893497cdad7559d3b

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
533B

MD5
fc4faa35177b653234eea9137a0dfe04

SHA1
1f8a4b0c36bca4fa41e46c19c2dd8bd5b7c69133

SHA256
33b354f423a26405d656f705772ac144bff95f0425a53d7c5c4214fedc0aa034

SHA512
abb390e64622f2ab6b547727c76e850142ef4dea728cf598a78273c48a4edcbe90cc8736f7f5aa36b83c58cd08a8ca4444d5a5e233de13e6a7d670ed9fcef875

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
533B

MD5
3b5b290ab11b819fd74eea36bb4c2fd1

SHA1
91f2c916bf697d0fa266a51e3bcf5a5e0680f328

SHA256
25f3aee24619343ae5abc31039c8c02fe07c5dc1cf7b6f138649d6d56d836656

SHA512
6aaa474b7956c538a2b4b91aa3a8704d5a3779e516725b9468544e88215e66bf6f4781e73b732fac3e7227e77b8b585406bd139b76c6f64fc269b041efce4e23

Download Submit
memory/3484-1-0x0000000000CF0000-0x0000000001014000-memory.dmp

Filesize
3.1MB

Download
memory/3484-2-0x00007FF8552C0000-0x00007FF855D81000-memory.dmp

Filesize
10.8MB

Download
memory/3484-0-0x00007FF8552C3000-0x00007FF8552C5000-memory.dmp

Filesize
8KB

Download
memory/3484-9-0x00007FF8552C0000-0x00007FF855D81000-memory.dmp

Filesize
10.8MB

Download
memory/3708-28-0x00007FF785C10000-0x00007FF785D08000-memory.dmp

Filesize
992KB

Download
memory/3708-29-0x00007FF865CF0000-0x00007FF865D24000-memory.dmp

Filesize
208KB

Download
memory/3708-30-0x00007FF84B430000-0x00007FF84B6E6000-memory.dmp

Filesize
2.7MB

Download
memory/3708-31-0x00007FF848D30000-0x00007FF849DE0000-memory.dmp

Filesize
16.7MB

Download
memory/4556-52-0x00007FF785C10000-0x00007FF785D08000-memory.dmp

Filesize
992KB

Download
memory/4556-54-0x00007FF84B430000-0x00007FF84B6E6000-memory.dmp

Filesize
2.7MB

Download
memory/4556-53-0x00007FF865CF0000-0x00007FF865D24000-memory.dmp

Filesize
208KB

Download
memory/4556-55-0x00007FF84D870000-0x00007FF84D97E000-memory.dmp

Filesize
1.1MB

Download
memory/5040-56-0x000001B506660000-0x000001B506670000-memory.dmp

Filesize
64KB

Download
memory/5040-69-0x000001B50EA00000-0x000001B50EA01000-memory.dmp

Filesize
4KB

Download
memory/5040-75-0x000001B50EAA0000-0x000001B50EAA1000-memory.dmp

Filesize
4KB

Download
memory/5040-74-0x000001B50EAA0000-0x000001B50EAA1000-memory.dmp

Filesize
4KB

Download
memory/5040-73-0x000001B50EA90000-0x000001B50EA91000-memory.dmp

Filesize
4KB

Download
memory/5040-72-0x000001B50EA90000-0x000001B50EA91000-memory.dmp

Filesize
4KB

Download
memory/5040-71-0x000001B50EA00000-0x000001B50EA01000-memory.dmp

Filesize
4KB

Download
memory/5040-60-0x000001B506860000-0x000001B506870000-memory.dmp

Filesize
64KB

Download
memory/5040-67-0x000001B50E980000-0x000001B50E981000-memory.dmp

Filesize
4KB

Download
memory/5072-8-0x00007FF8552C0000-0x00007FF855D81000-memory.dmp

Filesize
10.8MB

Download
memory/5072-15-0x00007FF8552C0000-0x00007FF855D81000-memory.dmp

Filesize
10.8MB

Download
memory/5072-10-0x00007FF8552C0000-0x00007FF855D81000-memory.dmp

Filesize
10.8MB

Download
memory/5072-11-0x000000001C9B0000-0x000000001CA00000-memory.dmp

Filesize
320KB

Download
memory/5072-12-0x000000001CAC0000-0x000000001CB72000-memory.dmp

Filesize
712KB

Download
memory/5072-13-0x000000001CA00000-0x000000001CA42000-memory.dmp

Filesize
264KB

Download
memory/5072-14-0x000000001D000000-0x000000001D102000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads