quasar | 15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

General

Target

2klz.exe
Size

3.1MB
MD5

01cb0e497f40e7d02f93255475f175e1
SHA1

98c779497d6514b91cd1410f627a5320f6b3eab5
SHA256

15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512

fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
SSDEEP

49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2056-1-0x0000000000DE0000-0x0000000001104000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016d69-6.dat	family_quasar
behavioral1/memory/2836-9-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2836	2klz.exe
2792	2klz.exe
1240	2klz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2892	PING.EXE
1996	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2892	PING.EXE
1996	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	2klz.exe
Token: SeDebugPrivilege	2836	2klz.exe
Token: SeDebugPrivilege	2792	2klz.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2836	2klz.exe
2792	2klz.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2836	2klz.exe
2792	2klz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2836	2klz.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2836	2056	2klz.exe	29
PID 2056 wrote to memory of 2836	2056	2klz.exe	29
PID 2056 wrote to memory of 2836	2056	2klz.exe	29
PID 2836 wrote to memory of 1380	2836	2klz.exe	30
PID 2836 wrote to memory of 1380	2836	2klz.exe	30
PID 2836 wrote to memory of 1380	2836	2klz.exe	30
PID 1380 wrote to memory of 2920	1380	cmd.exe	32
PID 1380 wrote to memory of 2920	1380	cmd.exe	32
PID 1380 wrote to memory of 2920	1380	cmd.exe	32
PID 1380 wrote to memory of 2892	1380	cmd.exe	33
PID 1380 wrote to memory of 2892	1380	cmd.exe	33
PID 1380 wrote to memory of 2892	1380	cmd.exe	33
PID 1380 wrote to memory of 2792	1380	cmd.exe	34
PID 1380 wrote to memory of 2792	1380	cmd.exe	34
PID 1380 wrote to memory of 2792	1380	cmd.exe	34
PID 2792 wrote to memory of 1496	2792	2klz.exe	35
PID 2792 wrote to memory of 1496	2792	2klz.exe	35
PID 2792 wrote to memory of 1496	2792	2klz.exe	35
PID 1496 wrote to memory of 2380	1496	cmd.exe	37
PID 1496 wrote to memory of 2380	1496	cmd.exe	37
PID 1496 wrote to memory of 2380	1496	cmd.exe	37
PID 1496 wrote to memory of 1996	1496	cmd.exe	38
PID 1496 wrote to memory of 1996	1496	cmd.exe	38
PID 1496 wrote to memory of 1996	1496	cmd.exe	38
PID 1496 wrote to memory of 1240	1496	cmd.exe	39
PID 1496 wrote to memory of 1240	1496	cmd.exe	39
PID 1496 wrote to memory of 1240	1496	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\2klz.exe
"C:\Users\Admin\AppData\Local\Temp\2klz.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWJHuDKHw7lG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2920
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2892
  - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hUVHM9c54UyQ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2380
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1996
      - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        6⤵
        Executes dropped EXE
        
        PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AWJHuDKHw7lG.bat

Filesize
205B

MD5
1b225b2c20fd5cc31b948ec46e690b4f

SHA1
ded45eb475e22682626573eef8826bb5422eaa46

SHA256
39906ffb25bbc303ee1a75aec64f339c7b2c95644667682382138614e662dfe8

SHA512
6aea89ef6eaa7cbfedfd439ed1cab50f6c8de52dfa4fe47b04ebc9efe4e6a3b7b734bb66dc6948c12ef8c71b78c61b878694982a72b7004facc570c51cb7feae

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUVHM9c54UyQ.bat

Filesize
205B

MD5
47bb444b1be0fbf9ca8557beb786453c

SHA1
c40847ce19e039e790a8a2d0239fc8922a5f4920

SHA256
7552b669315240f5575089ebc93c7090e640ea77bd8e51388a52a098186a2bc0

SHA512
fba2050440a78b670f556e12cd2d0b2d3a13d6d5c64ce2b282b2c537d2fa8ddd18674eaa62bbc5f37b71b01712550441aeb315b575781cf3056113136c23f66e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

Filesize
2.4MB

MD5
c7a2ee6a033f28e50dee10f258c12283

SHA1
7cb801658f0cea9feafe2c17d6ffeaa73cb57757

SHA256
55d3ca40e7d2580ca36e9b97e3aa0df974e8cd10a1ea2adb48928374b72117b1

SHA512
25b91c12c8924ceea79f09f92fbdeaa7bbb3366c814a40c819d2f9cbffde761d268d43cfaee6d1b54bbd57ec321f1f35443b468c6daa5871e66423278f456377

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
memory/1240-34-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download
memory/2056-10-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-0-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/2056-2-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2056-1-0x0000000000DE0000-0x0000000001104000-memory.dmp

Filesize
3.1MB

Download
memory/2836-11-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-21-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-9-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download
memory/2836-8-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing