quasar | 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff

General

Target

857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
Size

401KB
MD5

e514b9b328bcebbfafc9a9f9bded8324
SHA1

45e608a882de0a203ddde9ff5efa2b79ca48350c
SHA256

857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff
SHA512

548698b0f45b5e080ea7a9903f51399290c11f9f31e3633351d48304ddba5363a1065a8f32114db124963827e902558cdab4f0ca9ca26b4ba118e46b16b4a703

Score

10^/10

quasar revengerat zenoxpu spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.0

Botnet

ZenoXpu

C2

185.153.222.198:7845

Mutex

HIFbOBRX8hIfqiy4wu

Attributes

encryption_key
DQXvqTzM5uyODUsZK174
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2932-136-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral2/memory/2932-142-0x0000000005600000-0x0000000005BA4000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Executes dropped EXE 2 IoCs

Processes:

aspnet_compiler.exeaspnet_compiler.exe

pid process

772 aspnet_compiler.exe
2932 aspnet_compiler.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 ip-api.com

pid	process
772	aspnet_compiler.exe
2932	aspnet_compiler.exe

flow	ioc
33	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe

description	pid	process	target process
PID 1684 set thread context of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe

pid	process
1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
Token: SeDebugPrivilege	2932	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe

description	pid	process	target process
PID 1684 wrote to memory of 772	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 772	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 772	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe
PID 1684 wrote to memory of 2932	1684	857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
"C:\Users\Admin\AppData\Local\Temp\857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
2⤵
- Executes dropped EXE
PID:772

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
memory/1684-134-0x0000000004CE0000-0x0000000004CFE000-memory.dmp

Filesize
120KB

Download
memory/1684-131-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1684-133-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1684-130-0x00000000002E0000-0x000000000034A000-memory.dmp

Filesize
424KB

Download
memory/1684-132-0x0000000004D40000-0x0000000004DB6000-memory.dmp

Filesize
472KB

Download
memory/2932-140-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/2932-139-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/2932-136-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2932-141-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2932-142-0x0000000005600000-0x0000000005BA4000-memory.dmp

Filesize
5.6MB

Download
memory/2932-143-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/2932-144-0x00000000067A0000-0x00000000067B2000-memory.dmp

Filesize
72KB

Download
memory/2932-145-0x0000000006BD0000-0x0000000006C0C000-memory.dmp

Filesize
240KB

Download
memory/2932-146-0x0000000006D90000-0x0000000006D9A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads