quasar | f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
Size

5.5MB
MD5

d39ebc382ec4e299ebfe7c2cc37677fc
SHA1

b28d02f9d146248ef878a23d2cfba7c2be828795
SHA256

f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b
SHA512

44647f02fe00af43767162ace5b86480e47c3ef7a625775a25895a817d2be1fa93acffa5767253422735891c6259fcb9baf1afb46407d8e53db68ecd10aaa51a
SSDEEP

98304:RmBng9T/DSjSHtu4ffZN238DqQcBrcM7LacCmpfqAZekM5s3iD56lbSzfk:Y6DSjSHA4ffZI38kBPfacCmpCAZekM5c

Score

10^/10

quasar revengerat office bootkit defense_evasion discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.87.154.103:4782

45.87.154.103:5552

Mutex

U79isvQ39fwJG6MYPN

Attributes

encryption_key
cpXWTWxmR3Z0HXR8Fdwt
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/2700-9-0x0000000000450000-0x0000000000550000-memory.dmp	family_quasar
behavioral1/memory/2040-35-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2040-37-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2040-38-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mokajotabet.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mokajotabet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mokajotabet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mokajotabet.exe

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wajohadon.url	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wajohadon.url	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	mokajotabet.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mokajotabet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
File opened for modification	\??\PhysicalDrive0	mokajotabet.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
2780	mokajotabet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 2040	2780	mokajotabet.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mokajotabet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2604	cmd.exe
2672	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2672	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
2780	mokajotabet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2040	InstallUtil.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2780	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	31
PID 2700 wrote to memory of 2780	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	31
PID 2700 wrote to memory of 2780	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	31
PID 2700 wrote to memory of 2780	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	31
PID 2700 wrote to memory of 2780	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	31
PID 2700 wrote to memory of 2780	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	31
PID 2700 wrote to memory of 2780	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	31
PID 2700 wrote to memory of 2604	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	32
PID 2700 wrote to memory of 2604	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	32
PID 2700 wrote to memory of 2604	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	32
PID 2700 wrote to memory of 2604	2700	f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe	32
PID 2604 wrote to memory of 2672	2604	cmd.exe	34
PID 2604 wrote to memory of 2672	2604	cmd.exe	34
PID 2604 wrote to memory of 2672	2604	cmd.exe	34
PID 2604 wrote to memory of 2672	2604	cmd.exe	34
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35
PID 2780 wrote to memory of 2040	2780	mokajotabet.exe	35

C:\Users\Admin\AppData\Local\Temp\f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe
"C:\Users\Admin\AppData\Local\Temp\f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\ProgramData\kanovemamal\mokajotabet.exe
  "C:\ProgramData\kanovemamal\mokajotabet.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\f06b06c6332c2f6fa8ae2e650dd36ed70e850ac9a19ddf58193c357f0fbb349b.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mntemp

Filesize
16B

MD5
8ba7c838ab15c599b7738854fcff343e

SHA1
b9e953c3d4f82fee91989d329052a35c932c84c1

SHA256
149fe925f3d8ac8abe574830c8e3e256b56d95d7c6fe6dff6a0e795f6ac7c938

SHA512
4f675754bd93138a540167f69cbed21974f957670c790eef7a56eaf744c84ca110f35edad6823edb4fbc76b24e5e595823246b6065a68b9f9cda2973e60b0de5

Download Submit
memory/2040-38-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2040-37-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2040-31-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2040-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2040-35-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2700-23-0x0000000001340000-0x0000000001F9F000-memory.dmp

Filesize
12.4MB

Download
memory/2700-0-0x0000000001340000-0x0000000001F9F000-memory.dmp

Filesize
12.4MB

Download
memory/2700-19-0x0000000003BC0000-0x000000000481F000-memory.dmp

Filesize
12.4MB

Download
memory/2700-9-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2700-5-0x0000000001340000-0x0000000001F9F000-memory.dmp

Filesize
12.4MB

Download
memory/2700-4-0x0000000001340000-0x0000000001F9F000-memory.dmp

Filesize
12.4MB

Download
memory/2700-3-0x0000000001340000-0x0000000001F9F000-memory.dmp

Filesize
12.4MB

Download
memory/2700-1-0x00000000776C0000-0x00000000776C2000-memory.dmp

Filesize
8KB

Download
memory/2780-21-0x0000000000B00000-0x000000000175F000-memory.dmp

Filesize
12.4MB

Download
memory/2780-25-0x0000000000B00000-0x000000000175F000-memory.dmp

Filesize
12.4MB

Download
memory/2780-26-0x0000000000B00000-0x000000000175F000-memory.dmp

Filesize
12.4MB

Download
memory/2780-28-0x0000000000B00000-0x000000000175F000-memory.dmp

Filesize
12.4MB

Download
memory/2780-39-0x0000000000B00000-0x000000000175F000-memory.dmp

Filesize
12.4MB

Download