quasar | 965b676b1f41d84e4db8100d4658eaaf99cebc90d2e2430bd48bcc7634d257d6

General

Target

AerisBoostrapper-13-2.exe
Size

3.1MB
MD5

e2a60937f0b261889509480a6aeccd28
SHA1

e7388a6fe6b26369bd049fcb9274676b8e799626
SHA256

d2c8622fb29e5e0b800926c2ace9dbfd35fe798bb81dd05f992016aafbbad059
SHA512

c517dcbe37fe6d55a763b7223b0f64073c46569b1afa8868ccf56ff1b0afce0c83eb3cce30bd0978a82a8cd60e0d5f7e4705890e304ba9f283f7023eb166fd36
SSDEEP

49152:xviI22SsaNYfdPBldt698dBcjH/HzhNmzLQoGdbTHHB72eh2NT:xvv22SsaNYfdPBldt6+dBcjHfzhR

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.7.254:4782

Mutex

ec379305-a810-4d7e-97bd-07901661d993

Attributes

encryption_key
4F7174D194172642AE5CB98C8155E3A959E610E5
install_name
MsMpEng.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2128-1-0x0000000000AB0000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral1/files/0x00080000000156a8-5.dat	family_quasar
behavioral1/memory/2736-9-0x0000000000890000-0x0000000000BB4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2736	MsMpEng.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\MsMpEng.exe	AerisBoostrapper-13-2.exe
File opened for modification	C:\Windows\system32\SubDir\MsMpEng.exe	AerisBoostrapper-13-2.exe
File opened for modification	C:\Windows\system32\SubDir	AerisBoostrapper-13-2.exe
File opened for modification	C:\Windows\system32\SubDir\MsMpEng.exe	MsMpEng.exe
File opened for modification	C:\Windows\system32\SubDir	MsMpEng.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2844	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	AerisBoostrapper-13-2.exe
Token: SeDebugPrivilege	2736	MsMpEng.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2736	MsMpEng.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2736	MsMpEng.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2736	MsMpEng.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2844	2128	AerisBoostrapper-13-2.exe	30
PID 2128 wrote to memory of 2844	2128	AerisBoostrapper-13-2.exe	30
PID 2128 wrote to memory of 2844	2128	AerisBoostrapper-13-2.exe	30
PID 2128 wrote to memory of 2736	2128	AerisBoostrapper-13-2.exe	32
PID 2128 wrote to memory of 2736	2128	AerisBoostrapper-13-2.exe	32
PID 2128 wrote to memory of 2736	2128	AerisBoostrapper-13-2.exe	32
PID 2736 wrote to memory of 2612	2736	MsMpEng.exe	33
PID 2736 wrote to memory of 2612	2736	MsMpEng.exe	33
PID 2736 wrote to memory of 2612	2736	MsMpEng.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AerisBoostrapper-13-2.exe
"C:\Users\Admin\AppData\Local\Temp\AerisBoostrapper-13-2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Windows\system32\SubDir\MsMpEng.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2844
- C:\Windows\system32\SubDir\MsMpEng.exe
  "C:\Windows\system32\SubDir\MsMpEng.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Security" /sc ONLOGON /tr "C:\Windows\system32\SubDir\MsMpEng.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\MsMpEng.exe

Filesize
3.1MB

MD5
e2a60937f0b261889509480a6aeccd28

SHA1
e7388a6fe6b26369bd049fcb9274676b8e799626

SHA256
d2c8622fb29e5e0b800926c2ace9dbfd35fe798bb81dd05f992016aafbbad059

SHA512
c517dcbe37fe6d55a763b7223b0f64073c46569b1afa8868ccf56ff1b0afce0c83eb3cce30bd0978a82a8cd60e0d5f7e4705890e304ba9f283f7023eb166fd36

Download Submit
memory/2128-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

Filesize
3.1MB

Download
memory/2128-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-10-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-8-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-9-0x0000000000890000-0x0000000000BB4000-memory.dmp

Filesize
3.1MB

Download
memory/2736-11-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-12-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads