quasar | cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a

General

Target

tmp.exe
Size

505KB
MD5

56fdac38d6004e0bc5fb2d5c961322e2
SHA1

470111decd8883231c720a05eab77032e8b77250
SHA256

cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a
SHA512

3c9f4534c275f09935dc38853e9733145ade98ef53cb4d6f7cd4d530d938c4e00117f995778d343285e3e2829fbceab3681e43772cff91fba7d41ba81c3a60dc

Score

10^/10

quasar new1 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

new1

C2

bigrussianfloppa.duckdns.org:1004

Mutex

a8db07ed-e16a-4405-a04c-3980d567bfdb

Attributes

encryption_key
49FAF85C97BB43AF1E641011D48AB0EBC58C478E
install_name
java.exe
log_directory
logz
reconnect_delay
300
startup_key
Java
subdirectory
JavaTools

Signatures

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3992-130-0x0000000000E70000-0x0000000000EF4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\JavaTools\java.exe	family_quasar
C:\Users\Admin\AppData\Roaming\JavaTools\java.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Executes dropped EXE 1 IoCs

Processes:

java.exe

pid process

3908 java.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 api.ipify.org
36 api.ipify.org
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1084 schtasks.exe
2944 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exejava.exe

description pid process

Token: SeDebugPrivilege 3992 tmp.exe
Token: SeDebugPrivilege 3908 java.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

3908 java.exe

pid	process
3908	java.exe

flow	ioc
37	api.ipify.org
36	api.ipify.org

pid	process
1084	schtasks.exe
2944	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3992	tmp.exe
Token: SeDebugPrivilege	3908	java.exe

pid	process
3908	java.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

tmp.exejava.exe

description	pid	process	target process
PID 3992 wrote to memory of 1084	3992	tmp.exe	schtasks.exe
PID 3992 wrote to memory of 1084	3992	tmp.exe	schtasks.exe
PID 3992 wrote to memory of 3908	3992	tmp.exe	java.exe
PID 3992 wrote to memory of 3908	3992	tmp.exe	java.exe
PID 3908 wrote to memory of 2944	3908	java.exe	schtasks.exe
PID 3908 wrote to memory of 2944	3908	java.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\tmp.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1084
- C:\Users\Admin\AppData\Roaming\JavaTools\java.exe
  "C:\Users\Admin\AppData\Roaming\JavaTools\java.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaTools\java.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\JavaTools\java.exe

MD5
56fdac38d6004e0bc5fb2d5c961322e2

SHA1
470111decd8883231c720a05eab77032e8b77250

SHA256
cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a

SHA512
3c9f4534c275f09935dc38853e9733145ade98ef53cb4d6f7cd4d530d938c4e00117f995778d343285e3e2829fbceab3681e43772cff91fba7d41ba81c3a60dc

Download Submit
C:\Users\Admin\AppData\Roaming\JavaTools\java.exe

MD5
56fdac38d6004e0bc5fb2d5c961322e2

SHA1
470111decd8883231c720a05eab77032e8b77250

SHA256
cd2a19b6db25d50aa3413300fe5d1183a082a388e9b12d47fbb6ef765e1c819a

SHA512
3c9f4534c275f09935dc38853e9733145ade98ef53cb4d6f7cd4d530d938c4e00117f995778d343285e3e2829fbceab3681e43772cff91fba7d41ba81c3a60dc

Download Submit
memory/3908-135-0x00007FFA6A453000-0x00007FFA6A455000-memory.dmp

Filesize
8KB

Download
memory/3908-136-0x000000001B260000-0x000000001B262000-memory.dmp

Filesize
8KB

Download
memory/3908-137-0x00000000025D0000-0x0000000002620000-memory.dmp

Filesize
320KB

Download
memory/3908-138-0x000000001B970000-0x000000001BA22000-memory.dmp

Filesize
712KB

Download
memory/3992-130-0x0000000000E70000-0x0000000000EF4000-memory.dmp

Filesize
528KB

Download
memory/3992-131-0x00007FFA6A453000-0x00007FFA6A455000-memory.dmp

Filesize
8KB

Download
memory/3992-132-0x000000001BC70000-0x000000001BC72000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads