quasar | 15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

General

Target

2klz.exe
Size

3.1MB
MD5

01cb0e497f40e7d02f93255475f175e1
SHA1

98c779497d6514b91cd1410f627a5320f6b3eab5
SHA256

15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512

fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
SSDEEP

49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4224-1-0x0000000000CB0000-0x0000000000FD4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c93-7.dat	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2klz.exe

Executes dropped EXE 3 IoCs

pid	Process
2592	2klz.exe
208	2klz.exe
1008	2klz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3716	PING.EXE
3752	PING.EXE
692	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3752	PING.EXE
692	PING.EXE
3716	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	2klz.exe
Token: SeDebugPrivilege	2592	2klz.exe
Token: SeDebugPrivilege	208	2klz.exe
Token: SeDebugPrivilege	1008	2klz.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2592	2klz.exe
208	2klz.exe
1008	2klz.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2592	2klz.exe
208	2klz.exe
1008	2klz.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2592	4224	2klz.exe	82
PID 4224 wrote to memory of 2592	4224	2klz.exe	82
PID 2592 wrote to memory of 8	2592	2klz.exe	84
PID 2592 wrote to memory of 8	2592	2klz.exe	84
PID 8 wrote to memory of 2108	8	cmd.exe	86
PID 8 wrote to memory of 2108	8	cmd.exe	86
PID 8 wrote to memory of 3716	8	cmd.exe	87
PID 8 wrote to memory of 3716	8	cmd.exe	87
PID 8 wrote to memory of 208	8	cmd.exe	90
PID 8 wrote to memory of 208	8	cmd.exe	90
PID 208 wrote to memory of 660	208	2klz.exe	94
PID 208 wrote to memory of 660	208	2klz.exe	94
PID 660 wrote to memory of 2512	660	cmd.exe	96
PID 660 wrote to memory of 2512	660	cmd.exe	96
PID 660 wrote to memory of 3752	660	cmd.exe	97
PID 660 wrote to memory of 3752	660	cmd.exe	97
PID 660 wrote to memory of 1008	660	cmd.exe	105
PID 660 wrote to memory of 1008	660	cmd.exe	105
PID 1008 wrote to memory of 1368	1008	2klz.exe	107
PID 1008 wrote to memory of 1368	1008	2klz.exe	107
PID 1368 wrote to memory of 1360	1368	cmd.exe	109
PID 1368 wrote to memory of 1360	1368	cmd.exe	109
PID 1368 wrote to memory of 692	1368	cmd.exe	110
PID 1368 wrote to memory of 692	1368	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\2klz.exe
"C:\Users\Admin\AppData\Local\Temp\2klz.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOzOJVwIsbxq.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2108
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3716
  - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\to7XjmVNESSY.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2512
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3752
      - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMF4RBW9sgvh.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2klz.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMF4RBW9sgvh.bat

Filesize
205B

MD5
18e985f3cd47dee4cbd0b80a562d74d2

SHA1
0c76f1380fbca1e036f0d1fa323d10ea21eacfa7

SHA256
8316ceeed2d00d86f3a3e2c128fd65fc33b011c07d51f8ed611f372cc2a77cd4

SHA512
5d1e8038e27c5fa2947c9cc3a8527f46099a28fbd90a8e096b17786d5018772b665c62a0bd77d28388046fb6448ca3b84883a94bbf71825ca013d6927f9019cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOzOJVwIsbxq.bat

Filesize
205B

MD5
84f7bae07b94d4474e6dbbc724c74b79

SHA1
ca09d9a446f47810dfddc1e582a60dc8510a17ed

SHA256
ca720f161913f1bdcbc6fd537def39d458a6cfc9768cb4e27ea683f0a27146f1

SHA512
abf16bd1c62ee39efe75a769e3b9d6b8ccbf8e62312c61de00ef03833c755ef4354e6a5614870c784c1d1c982fb15a36ec6467ef54b5cdbade0bdc64f5bc0578

Download Submit
C:\Users\Admin\AppData\Local\Temp\to7XjmVNESSY.bat

Filesize
205B

MD5
007ec27f17f0c6a7b541012396b07771

SHA1
f364a3fceaa45cf484a7d7651e2df42d52a3da19

SHA256
13151d8bc7d9d399943f3dbba4c96e6d8be7dd0cc1b60e74274dca4f4b8d6770

SHA512
8fcda1b74f20957e14b4e4404e3cfbe9edd809949eac43ae95229f197a6ec6f63028f7e51b0dab4c61addfbfe23024157530ee10c5994731d803acd024748ba5

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
memory/2592-11-0x00007FF871C50000-0x00007FF871F19000-memory.dmp

Filesize
2.8MB

Download
memory/2592-12-0x000000001C960000-0x000000001C9B0000-memory.dmp

Filesize
320KB

Download
memory/2592-13-0x000000001CA70000-0x000000001CB22000-memory.dmp

Filesize
712KB

Download
memory/2592-9-0x00007FF871C50000-0x00007FF871F19000-memory.dmp

Filesize
2.8MB

Download
memory/2592-18-0x00007FF871C50000-0x00007FF871F19000-memory.dmp

Filesize
2.8MB

Download
memory/4224-10-0x00007FF871C50000-0x00007FF871F19000-memory.dmp

Filesize
2.8MB

Download
memory/4224-0-0x00007FF871C50000-0x00007FF871F19000-memory.dmp

Filesize
2.8MB

Download
memory/4224-2-0x00007FF871C50000-0x00007FF871F19000-memory.dmp

Filesize
2.8MB

Download
memory/4224-1-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing