quasar | cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a

General

Target

tmp.exe
Size

505KB
MD5

56fdac38d6004e0bc5fb2d5c961322e2
SHA1

470111decd8883231c720a05eab77032e8b77250
SHA256

cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a
SHA512

3c9f4534c275f09935dc38853e9733145ade98ef53cb4d6f7cd4d530d938c4e00117f995778d343285e3e2829fbceab3681e43772cff91fba7d41ba81c3a60dc

Score

10^/10

quasar new1 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

new1

C2

bigrussianfloppa.duckdns.org:1004

Mutex

a8db07ed-e16a-4405-a04c-3980d567bfdb

Attributes

encryption_key
49FAF85C97BB43AF1E641011D48AB0EBC58C478E
install_name
java.exe
log_directory
logz
reconnect_delay
300
startup_key
Java
subdirectory
JavaTools

Signatures

Quasar Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1804-56-0x0000000001370000-0x00000000013F4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\JavaTools\java.exe	family_quasar
C:\Users\Admin\AppData\Roaming\JavaTools\java.exe	family_quasar
behavioral1/memory/432-60-0x00000000012E0000-0x0000000001364000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Executes dropped EXE 1 IoCs

Processes:

java.exe

pid process

432 java.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

556 schtasks.exe
632 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exejava.exe

description pid process

Token: SeDebugPrivilege 1804 tmp.exe
Token: SeDebugPrivilege 432 java.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

432 java.exe

pid	process
432	java.exe

pid	process
556	schtasks.exe
632	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1804	tmp.exe
Token: SeDebugPrivilege	432	java.exe

pid	process
432	java.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exejava.exe

description	pid	process	target process
PID 1804 wrote to memory of 556	1804	tmp.exe	schtasks.exe
PID 1804 wrote to memory of 556	1804	tmp.exe	schtasks.exe
PID 1804 wrote to memory of 556	1804	tmp.exe	schtasks.exe
PID 1804 wrote to memory of 432	1804	tmp.exe	java.exe
PID 1804 wrote to memory of 432	1804	tmp.exe	java.exe
PID 1804 wrote to memory of 432	1804	tmp.exe	java.exe
PID 432 wrote to memory of 632	432	java.exe	schtasks.exe
PID 432 wrote to memory of 632	432	java.exe	schtasks.exe
PID 432 wrote to memory of 632	432	java.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Java" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\tmp.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:556
- C:\Users\Admin\AppData\Roaming\JavaTools\java.exe
  "C:\Users\Admin\AppData\Roaming\JavaTools\java.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Java" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaTools\java.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JavaTools\java.exe

MD5
56fdac38d6004e0bc5fb2d5c961322e2

SHA1
470111decd8883231c720a05eab77032e8b77250

SHA256
cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a

SHA512
3c9f4534c275f09935dc38853e9733145ade98ef53cb4d6f7cd4d530d938c4e00117f995778d343285e3e2829fbceab3681e43772cff91fba7d41ba81c3a60dc

Download Submit
C:\Users\Admin\AppData\Roaming\JavaTools\java.exe

MD5
56fdac38d6004e0bc5fb2d5c961322e2

SHA1
470111decd8883231c720a05eab77032e8b77250

SHA256
cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a

SHA512
3c9f4534c275f09935dc38853e9733145ade98ef53cb4d6f7cd4d530d938c4e00117f995778d343285e3e2829fbceab3681e43772cff91fba7d41ba81c3a60dc

Download Submit
memory/432-60-0x00000000012E0000-0x0000000001364000-memory.dmp

Filesize
528KB

Download
memory/432-61-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/432-62-0x000000001AF90000-0x000000001AF92000-memory.dmp

Filesize
8KB

Download
memory/1804-55-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/1804-56-0x0000000001370000-0x00000000013F4000-memory.dmp

Filesize
528KB

Download
memory/1804-57-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads