quasar | 0a61127840266ccb44c1faf9fe57db4e3354f163814ecebbbcbbddcca8f7e371

General

Target

CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Size

630KB
MD5

dc8d9c9a86fe4830053697c1dc59dc6f
SHA1

a63fa3cc878efe75ecf849111c3e3d417fef4fdd
SHA256

5dcd1649d97e0da882778ec70677be52b49603b6596b044518f02c278d93d0f2
SHA512

8f91aca4b85d53745f395888ffb8e2d5f17f06afc7e302f2ed19c840377c70ef807ba14748fefd2a756b27b54808651087fbcba572f0d162b06c8a0e9283ef8c

Score

10^/10

quasar persistence spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CDC GUIDES COVID-19 Second Outbreak Warning release.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	CDC GUIDES COVID-19 Second Outbreak Warning release.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com

flow	ioc
16	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

CDC GUIDES COVID-19 Second Outbreak Warning release.exe

description	pid	process	target process
PID 4764 set thread context of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CDC GUIDES COVID-19 Second Outbreak Warning release.exeCDC GUIDES COVID-19 Second Outbreak Warning release.exe

description	pid	process
Token: SeDebugPrivilege	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
Token: SeDebugPrivilege	648	CDC GUIDES COVID-19 Second Outbreak Warning release.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

CDC GUIDES COVID-19 Second Outbreak Warning release.exe

description	pid	process	target process
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe
PID 4764 wrote to memory of 648	4764	CDC GUIDES COVID-19 Second Outbreak Warning release.exe	CDC GUIDES COVID-19 Second Outbreak Warning release.exe

C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
"C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe
"C:\Users\Admin\AppData\Local\Temp\CDC GUIDES COVID-19 Second Outbreak Warning release.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CDC GUIDES COVID-19 Second Outbreak Warning release.exe.log
MD5
c5016515c6ff7988db3db0761d3916ef

SHA1
a0b03e89fca731257cfee8563e085838fadcd1f1

SHA256
4525469179c5b3357e439a11b0cbefdfa93b755e9caeae932759416d14f57e46

SHA512
1efb13a6272ae7c763e7670e11ea3a3955c88e66d3ca807bf4ac734014492a13a63646b03abd675aa68e0b1228a5b518e5544478ea90aa9842e6d8b925b38807

Download Submit
memory/648-12-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/648-15-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/648-20-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/648-19-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/648-18-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/648-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/648-10-0x00000000004581DE-mapping.dmp

Download
memory/648-16-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4764-8-0x0000000005930000-0x0000000005946000-memory.dmp

Filesize
88KB

Download
memory/4764-2-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/4764-3-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/4764-5-0x0000000005750000-0x000000000581F000-memory.dmp

Filesize
828KB

Download
memory/4764-7-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/4764-6-0x0000000005820000-0x0000000005887000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads