quasar | 864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

General

Target

Test2.exe
Size

3.1MB
MD5

7f888b6cbd5062a7558eea61eb9a9ca2
SHA1

2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87
SHA256

864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad
SHA512

7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8
SSDEEP

49152:/v2lL26AaNeWgPhlmVqvMQ7XSKKQSYmzwXoGdVTHHB72eh2NT:/v2L26AaNeWgPhlmVqkQ7XSKKQSq

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

llordiWasHere-55715.portmap.host:55715

Mutex

124c5996-13c0-46a2-804a-191042a109db

Attributes

encryption_key
5F48258CBD7D9014A9443146E8A3D837D1715CAE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4768-1-0x0000000000CA0000-0x0000000000FC4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b7e-6.dat	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 3 IoCs

pid	Process
1276	Client.exe
316	Client.exe
640	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4548	PING.EXE
4468	PING.EXE
3612	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3612	PING.EXE
4548	PING.EXE
4468	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	Test2.exe
Token: SeDebugPrivilege	1276	Client.exe
Token: SeDebugPrivilege	316	Client.exe
Token: SeDebugPrivilege	640	Client.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1276	Client.exe
316	Client.exe
640	Client.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1276	Client.exe
316	Client.exe
640	Client.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1276	4768	Test2.exe	82
PID 4768 wrote to memory of 1276	4768	Test2.exe	82
PID 1276 wrote to memory of 4372	1276	Client.exe	83
PID 1276 wrote to memory of 4372	1276	Client.exe	83
PID 4372 wrote to memory of 1412	4372	cmd.exe	85
PID 4372 wrote to memory of 1412	4372	cmd.exe	85
PID 4372 wrote to memory of 4548	4372	cmd.exe	86
PID 4372 wrote to memory of 4548	4372	cmd.exe	86
PID 4372 wrote to memory of 316	4372	cmd.exe	91
PID 4372 wrote to memory of 316	4372	cmd.exe	91
PID 316 wrote to memory of 1968	316	Client.exe	92
PID 316 wrote to memory of 1968	316	Client.exe	92
PID 1968 wrote to memory of 2628	1968	cmd.exe	94
PID 1968 wrote to memory of 2628	1968	cmd.exe	94
PID 1968 wrote to memory of 4468	1968	cmd.exe	95
PID 1968 wrote to memory of 4468	1968	cmd.exe	95
PID 1968 wrote to memory of 640	1968	cmd.exe	99
PID 1968 wrote to memory of 640	1968	cmd.exe	99
PID 640 wrote to memory of 3616	640	Client.exe	100
PID 640 wrote to memory of 3616	640	Client.exe	100
PID 3616 wrote to memory of 3628	3616	cmd.exe	102
PID 3616 wrote to memory of 3628	3616	cmd.exe	102
PID 3616 wrote to memory of 3612	3616	cmd.exe	103
PID 3616 wrote to memory of 3612	3616	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Test2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ah5tYfCnYhBp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1412
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4548
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0FILUFm8kZEb.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2628
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4468
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ShEOlstLqsqs.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0FILUFm8kZEb.bat

Filesize
207B

MD5
1f5424b1d82668032517b294f05ecbe4

SHA1
b3ebf505533398d721516f40bd4d15525f4bb1fe

SHA256
435cb8d913a277eff29d44f6066dd7ff0176573d295dce7e4edfbf5621c086c7

SHA512
7136ad118b6640619d6b9103919d017ef47e7af0e3dc18bda5031e99af90d56bb020a33f0ea3962d61db21ba8895471b56e25833047b44236b70b0c091c8bab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ah5tYfCnYhBp.bat

Filesize
207B

MD5
4fb8130c6f4556246d27927436d540d4

SHA1
f27e87861343f4a7b30c74a79e6bc71726e9a806

SHA256
91de74545f6307ce6043ae2043a6930b9a711497037d531215116d82218b4a2f

SHA512
b52b6e41f90dbb97256a14a0d0284ffe39b6edab805e44218075a86cdf1c6efde5b7ac829c1a4ffc01721fd0fea4189c66a6c8660bfb0adedfadc59ddf5326d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShEOlstLqsqs.bat

Filesize
207B

MD5
a12139a5ad752dc0a1f6aa896503136b

SHA1
fdef02ecec7c6d6faad8f093b93a1038cd33e84a

SHA256
e3ab1756938e35d630396fa970edf3384f52f84086e5e4d6ee7a00f965d8b798

SHA512
5c8addd024156cf0da0669902e09dcafb9a2f056da5fb843d2fa9ec0a434224e7b44027938351ff8e381866cf71d06109da144114f8021e8c2862a52989ea0b2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7f888b6cbd5062a7558eea61eb9a9ca2

SHA1
2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87

SHA256
864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

SHA512
7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8

Download Submit
memory/1276-11-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/1276-12-0x000000001E0D0000-0x000000001E120000-memory.dmp

Filesize
320KB

Download
memory/1276-13-0x000000001E1E0000-0x000000001E292000-memory.dmp

Filesize
712KB

Download
memory/1276-19-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/1276-10-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/4768-1-0x0000000000CA0000-0x0000000000FC4000-memory.dmp

Filesize
3.1MB

Download
memory/4768-9-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/4768-2-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/4768-0-0x00007FFEC6143000-0x00007FFEC6145000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing