quasar | 178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de

Analysis

max time kernel
158s
max time network
131s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe
Size

6.8MB
MD5

4d8eb19e4c6ad857cf5f0b1eed9613a6
SHA1

a907eb422049512f9efcfbefc7bf9fb5a2500d89
SHA256

178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de
SHA512

74a2be4e0acdb4378f20a7b9ca4ac753fa0faad57b67163d087e1ec79df808e1ffc2d5687e6404a126645939f4dd8128a095077d85ac933aaa7fdeba3e4714ce

Score

10^/10

quasar vapeuser evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

VapeUser

pangrowman.myddns.me:4782

Mutex

d7ca8b59-e988-46e5-b633-b83737aaab77

Attributes

encryption_key
843E9B8CFBAC676CE893EA246D37E169B7DB0FB4
install_name
MicrosoftSupport.exe
log_directory
Logs
reconnect_delay
5000
startup_key
Windows Support
subdirectory
Windows

Signatures

Quasar Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe	family_quasar
behavioral1/memory/472-60-0x00000000010E0000-0x0000000001164000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

Ijgfvrk.exeEjwkpjr.exe

pid process

472 Ijgfvrk.exe
1632 Ejwkpjr.exe

pid	process
472	Ijgfvrk.exe
1632	Ejwkpjr.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ejwkpjr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ejwkpjr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ejwkpjr.exe

Loads dropped DLL 8 IoCs

Processes:

178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exeWerFault.exe

pid	process
1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe
1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe
1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe
1544
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
behavioral1/memory/1632-66-0x000000013F270000-0x00000001402E6000-memory.dmp	themida
behavioral1/memory/1632-67-0x000000013F270000-0x00000001402E6000-memory.dmp	themida
behavioral1/memory/1632-68-0x000000013F270000-0x00000001402E6000-memory.dmp	themida
behavioral1/memory/1632-69-0x000000013F270000-0x00000001402E6000-memory.dmp	themida
behavioral1/memory/1632-70-0x000000013F270000-0x00000001402E6000-memory.dmp	themida
behavioral1/memory/1632-72-0x000000013F270000-0x00000001402E6000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Ejwkpjr.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ejwkpjr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ejwkpjr.exe

Drops file in System32 directory 2 IoCs

Processes:

Ijgfvrk.exe

description	ioc	process
File created	C:\Windows\system32\Windows\MicrosoftSupport.exe	Ijgfvrk.exe
File opened for modification	C:\Windows\system32\Windows\MicrosoftSupport.exe	Ijgfvrk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Ejwkpjr.exe

pid process

1632 Ejwkpjr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

984 1632 WerFault.exe Ejwkpjr.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1488 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Ejwkpjr.exeWerFault.exe

pid process

1632 Ejwkpjr.exe
984 WerFault.exe
984 WerFault.exe
984 WerFault.exe
984 WerFault.exe
984 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

984 WerFault.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ijgfvrk.exeEjwkpjr.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 472 Ijgfvrk.exe
Token: SeDebugPrivilege 1632 Ejwkpjr.exe
Token: SeDebugPrivilege 984 WerFault.exe

pid	process
1632	Ejwkpjr.exe

pid	pid_target	process	target process
984	1632	WerFault.exe	Ejwkpjr.exe

pid	process
1488	schtasks.exe

pid	process
1632	Ejwkpjr.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe

pid	process
984	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	472	Ijgfvrk.exe
Token: SeDebugPrivilege	1632	Ejwkpjr.exe
Token: SeDebugPrivilege	984	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exeEjwkpjr.exeIjgfvrk.exe

description	pid	process	target process
PID 1888 wrote to memory of 472	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ijgfvrk.exe
PID 1888 wrote to memory of 472	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ijgfvrk.exe
PID 1888 wrote to memory of 472	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ijgfvrk.exe
PID 1888 wrote to memory of 472	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ijgfvrk.exe
PID 1888 wrote to memory of 1632	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ejwkpjr.exe
PID 1888 wrote to memory of 1632	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ejwkpjr.exe
PID 1888 wrote to memory of 1632	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ejwkpjr.exe
PID 1888 wrote to memory of 1632	1888	178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe	Ejwkpjr.exe
PID 1632 wrote to memory of 984	1632	Ejwkpjr.exe	WerFault.exe
PID 1632 wrote to memory of 984	1632	Ejwkpjr.exe	WerFault.exe
PID 1632 wrote to memory of 984	1632	Ejwkpjr.exe	WerFault.exe
PID 472 wrote to memory of 1488	472	Ijgfvrk.exe	schtasks.exe
PID 472 wrote to memory of 1488	472	Ijgfvrk.exe	schtasks.exe
PID 472 wrote to memory of 1488	472	Ijgfvrk.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe
"C:\Users\Admin\AppData\Local\Temp\178e5e0d6dbe5efae3613343b8569a95cb92d4c9f1e7593247f77265fe2be0de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe
"C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Support" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1488

C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe
"C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1632 -s 364
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe

MD5
e1032a4d1c87a284617af64f9d29be37

SHA1
3e60cab4c29c96edcf30d93e1c55cdeaacfd5c66

SHA256
fc7f67995d35e7ce3281ba1e9d1949a068f2d21a9deb67e575c1241f265f63fa

SHA512
a1ef68c8e524ae9dda469c384aab4fac94e8c313f961a9c4006a8324d2e098625a95eb2f6309f00b2ad7dc9cf4116f8dc36fccfae487e41ded7e29ae678e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe

MD5
e1032a4d1c87a284617af64f9d29be37

SHA1
3e60cab4c29c96edcf30d93e1c55cdeaacfd5c66

SHA256
fc7f67995d35e7ce3281ba1e9d1949a068f2d21a9deb67e575c1241f265f63fa

SHA512
a1ef68c8e524ae9dda469c384aab4fac94e8c313f961a9c4006a8324d2e098625a95eb2f6309f00b2ad7dc9cf4116f8dc36fccfae487e41ded7e29ae678e4ea5

Download Submit
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
\Users\Admin\AppData\Local\Temp\Ejwkpjr.exe

MD5
3459f3a3d65fa445d1eb52611ac55f6c

SHA1
135c835edfeec60e41bc1b24f1a10ad7a86c9a00

SHA256
9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

SHA512
1dbf42476304cefd859754f1d8219c0b37cc5b2885527f874245a37df5e1145dbcc1ff1ce34bdf0fa47df8a503e37244ff07a37bb92e8f2514533d8a89926d8b

Download Submit
\Users\Admin\AppData\Local\Temp\Ijgfvrk.exe

MD5
e1032a4d1c87a284617af64f9d29be37

SHA1
3e60cab4c29c96edcf30d93e1c55cdeaacfd5c66

SHA256
fc7f67995d35e7ce3281ba1e9d1949a068f2d21a9deb67e575c1241f265f63fa

SHA512
a1ef68c8e524ae9dda469c384aab4fac94e8c313f961a9c4006a8324d2e098625a95eb2f6309f00b2ad7dc9cf4116f8dc36fccfae487e41ded7e29ae678e4ea5

Download Submit
memory/472-64-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/472-60-0x00000000010E0000-0x0000000001164000-memory.dmp

Filesize
528KB

Download
memory/472-71-0x000000001B010000-0x000000001B012000-memory.dmp

Filesize
8KB

Download
memory/984-80-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/984-74-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1632-66-0x000000013F270000-0x00000001402E6000-memory.dmp

Filesize
16.5MB

Download
memory/1632-72-0x000000013F270000-0x00000001402E6000-memory.dmp

Filesize
16.5MB

Download
memory/1632-70-0x000000013F270000-0x00000001402E6000-memory.dmp

Filesize
16.5MB

Download
memory/1632-69-0x000000013F270000-0x00000001402E6000-memory.dmp

Filesize
16.5MB

Download
memory/1632-68-0x000000013F270000-0x00000001402E6000-memory.dmp

Filesize
16.5MB

Download
memory/1632-67-0x000000013F270000-0x00000001402E6000-memory.dmp

Filesize
16.5MB

Download
memory/1632-65-0x0000000077CE0000-0x0000000077CE2000-memory.dmp

Filesize
8KB

Download
memory/1888-54-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/1888-56-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1888-55-0x0000000000400000-0x0000000000ACE000-memory.dmp

Filesize
6.8MB

Download