quasar | 4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

General

Target

Synaptics.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Score

10^/10

quasar xred cleanerv2 backdoor discovery persistence spyware trojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

quasar

Version

1.4.1

Botnet

CleanerV2

C2

192.168.4.185:4782

Mutex

1607a026-352e-4041-bc1f-757dd6cd2e95

Attributes

encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
install_name
Client.exe
log_directory
Clean
reconnect_delay
3000
startup_key
CleanerV2
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000025cda-197.dat	family_quasar
behavioral1/memory/4844-204-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Downloads MZ/PE file 1 IoCs

flow	pid	Process
29	5096	._cache_Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
2172	._cache_Synaptics.exe
3700	Synaptics.exe
5096	._cache_Synaptics.exe
4844	CleanerV2.exe
400	Client.exe

Loads dropped DLL 2 IoCs

pid	Process
3700	Synaptics.exe
3700	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Synaptics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
29	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4220	schtasks.exe
2004	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1172	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	._cache_Synaptics.exe
Token: SeDebugPrivilege	5096	._cache_Synaptics.exe
Token: SeDebugPrivilege	4844	CleanerV2.exe
Token: SeDebugPrivilege	400	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
400	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
400	Client.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1172	EXCEL.EXE
1172	EXCEL.EXE
1172	EXCEL.EXE
1172	EXCEL.EXE
1172	EXCEL.EXE
1172	EXCEL.EXE
1172	EXCEL.EXE
1172	EXCEL.EXE
400	Client.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 2172	4776	Synaptics.exe	77
PID 4776 wrote to memory of 2172	4776	Synaptics.exe	77
PID 4776 wrote to memory of 2172	4776	Synaptics.exe	77
PID 4776 wrote to memory of 3700	4776	Synaptics.exe	79
PID 4776 wrote to memory of 3700	4776	Synaptics.exe	79
PID 4776 wrote to memory of 3700	4776	Synaptics.exe	79
PID 3700 wrote to memory of 5096	3700	Synaptics.exe	80
PID 3700 wrote to memory of 5096	3700	Synaptics.exe	80
PID 3700 wrote to memory of 5096	3700	Synaptics.exe	80
PID 5096 wrote to memory of 4844	5096	._cache_Synaptics.exe	90
PID 5096 wrote to memory of 4844	5096	._cache_Synaptics.exe	90
PID 4844 wrote to memory of 4220	4844	CleanerV2.exe	91
PID 4844 wrote to memory of 4220	4844	CleanerV2.exe	91
PID 4844 wrote to memory of 400	4844	CleanerV2.exe	93
PID 4844 wrote to memory of 400	4844	CleanerV2.exe	93
PID 400 wrote to memory of 2004	400	Client.exe	94
PID 400 wrote to memory of 2004	400	Client.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\Synaptics.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4220
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2004

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3504

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\86a8dc27-86d9-426c-b1ef-408d8bec040d.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0C75E00

Filesize
22KB

MD5
daf6e82c0c13921cd7c2aff60a7bed9a

SHA1
a548d0f5ff7bedb0bddd64da266c1894d058a311

SHA256
c813009be2c90202c5b84121bef5131c07354f7fd2a92f3c7c7b047fd9bc702f

SHA512
a0239737279d4abc19384a288d2b0f43ba1b32bcd98e7796c6b5f634437ab1e5a44bd9f5316007cd44dbe430b2e33e618c19363f780700390193d9b6a68b3126

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe

Filesize
3.1MB

MD5
e6aeb08ae65e312d03f1092df3ba422c

SHA1
f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62

SHA256
74fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e

SHA512
5cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsJYrTp9.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/400-211-0x000000001C510000-0x000000001C560000-memory.dmp

Filesize
320KB

Download
memory/400-212-0x000000001C620000-0x000000001C6D2000-memory.dmp

Filesize
712KB

Download
memory/1172-136-0x00007FFF41990000-0x00007FFF419A0000-memory.dmp

Filesize
64KB

Download
memory/1172-138-0x00007FFF41990000-0x00007FFF419A0000-memory.dmp

Filesize
64KB

Download
memory/1172-139-0x00007FFF41990000-0x00007FFF419A0000-memory.dmp

Filesize
64KB

Download
memory/1172-137-0x00007FFF41990000-0x00007FFF419A0000-memory.dmp

Filesize
64KB

Download
memory/1172-140-0x00007FFF41990000-0x00007FFF419A0000-memory.dmp

Filesize
64KB

Download
memory/1172-141-0x00007FFF3EEB0000-0x00007FFF3EEC0000-memory.dmp

Filesize
64KB

Download
memory/1172-142-0x00007FFF3EEB0000-0x00007FFF3EEC0000-memory.dmp

Filesize
64KB

Download
memory/2172-133-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2172-134-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/2172-186-0x000000007244E000-0x000000007244F000-memory.dmp

Filesize
4KB

Download
memory/2172-125-0x000000007244E000-0x000000007244F000-memory.dmp

Filesize
4KB

Download
memory/3700-187-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3700-188-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3700-130-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/4776-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4776-128-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4844-204-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads