quasar | 60c5af78dbbde0379ee14544cd4f98cead5f516842fcbb94b3b1e035b82c0ac4

General

Target

Client-built.exe
Size

3.1MB
MD5

06550a7d85870e79df0d9a55fb3bac98
SHA1

ed011b024814c737519d026bec4138ef8569d779
SHA256

60c5af78dbbde0379ee14544cd4f98cead5f516842fcbb94b3b1e035b82c0ac4
SHA512

51e48bf7e4f3a5b9f7b6806153423f9c484cc1405260a283539efad7c21cd50327b9670fb9f06cd25239d50e3fa7d168ec831a856d8b52d9ace2f63425bfb163
SSDEEP

49152:Tvae821/aQWl8P0lSk3aKA3Z+nMwRJ6ObR3LoGdhUKSTHHB72eh2NT:Tvx821/aQWl8P0lSk3DA3Z+nMwRJ6I

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.145:4782

192.168.56.1:4784

192.168.1.145:4784

192.168.1.254:4784

Mutex

9d952f82-b8b7-4948-b2b7-53c225a63ebb

Attributes

encryption_key
AAB9DCB0841C8C889A6BCA76764D0770416B2FE1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3140-1-0x00000000006F0000-0x0000000000A14000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023ca2-6.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 2 IoCs

pid	Process
1848	Client.exe
4164	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4132	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4132	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4644	schtasks.exe
2328	schtasks.exe
2864	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	Client-built.exe
Token: SeDebugPrivilege	1848	Client.exe
Token: SeDebugPrivilege	4164	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1848	Client.exe
4164	Client.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 2864	3140	Client-built.exe	82
PID 3140 wrote to memory of 2864	3140	Client-built.exe	82
PID 3140 wrote to memory of 1848	3140	Client-built.exe	84
PID 3140 wrote to memory of 1848	3140	Client-built.exe	84
PID 1848 wrote to memory of 4644	1848	Client.exe	85
PID 1848 wrote to memory of 4644	1848	Client.exe	85
PID 1848 wrote to memory of 4368	1848	Client.exe	96
PID 1848 wrote to memory of 4368	1848	Client.exe	96
PID 4368 wrote to memory of 2204	4368	cmd.exe	98
PID 4368 wrote to memory of 2204	4368	cmd.exe	98
PID 4368 wrote to memory of 4132	4368	cmd.exe	99
PID 4368 wrote to memory of 4132	4368	cmd.exe	99
PID 4368 wrote to memory of 4164	4368	cmd.exe	100
PID 4368 wrote to memory of 4164	4368	cmd.exe	100
PID 4164 wrote to memory of 2328	4164	Client.exe	101
PID 4164 wrote to memory of 2328	4164	Client.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2864
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eb8zp7kLKRq7.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2204
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4132
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb8zp7kLKRq7.bat

Filesize
207B

MD5
3cf09da634888f700955504145dff2c8

SHA1
cdcde930c0626bbcfcd0aa712fe05879dfb790c0

SHA256
d4d49353a54328e1ff839b81749561df3dadd4b79436108019d02f2812a92015

SHA512
ca34673431646d03385ce37bfedb205ba1e2e35e3d09feaf9dbc26fbde4d0a8cbf9875194a5089267aaed7fea8eeb2751c35e68b6ce453bd47194ce34560525e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
06550a7d85870e79df0d9a55fb3bac98

SHA1
ed011b024814c737519d026bec4138ef8569d779

SHA256
60c5af78dbbde0379ee14544cd4f98cead5f516842fcbb94b3b1e035b82c0ac4

SHA512
51e48bf7e4f3a5b9f7b6806153423f9c484cc1405260a283539efad7c21cd50327b9670fb9f06cd25239d50e3fa7d168ec831a856d8b52d9ace2f63425bfb163

Download Submit
memory/1848-11-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/1848-10-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/1848-12-0x000000001CFD0000-0x000000001D020000-memory.dmp

Filesize
320KB

Download
memory/1848-13-0x000000001D0E0000-0x000000001D192000-memory.dmp

Filesize
712KB

Download
memory/1848-14-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/1848-19-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/3140-9-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/3140-0-0x00007FFF96F53000-0x00007FFF96F55000-memory.dmp

Filesize
8KB

Download
memory/3140-2-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/3140-1-0x00000000006F0000-0x0000000000A14000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads