quasar | 4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

Analysis

max time kernel
4294178s
max time network
128s
platform
windows7_x64
resource
win7-20220311-en
submitted
24-03-2022 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
Size

348KB
MD5

4e22eda5918426ccbc58319c13978906
SHA1

080d364b894ee591be92afa782db2ae93192bea9
SHA256

4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f
SHA512

03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Score

10^/10

quasar test1 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test1

sharaga.ddns.net:25565

81.1.158.128:25565

Mutex

QSR_MUTEX_2Wq2bcpv2N4Sls5IAl

Attributes

encryption_key
3IYxH0O6qCkTu1k47KTz
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java
subdirectory
.minecraft

Signatures

Quasar Payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/956-54-0x00000000008D0000-0x000000000092E000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
C:\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
C:\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
behavioral1/memory/392-61-0x00000000008E0000-0x000000000093E000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar
C:\Users\Admin\AppData\Roaming\.minecraft\java.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Executes dropped EXE 2 IoCs

Processes:

java.exejava.exe

pid process

392 java.exe
1136 java.exe

pid	process
392	java.exe
1136	java.exe

Loads dropped DLL 7 IoCs

Processes:

4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exeWerFault.execmd.exe

pid	process
956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
1448	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exejava.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe\""	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "\"C:\\Users\\Admin\\AppData\\Roaming\\.minecraft\\java.exe\""	java.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2008 392 WerFault.exe java.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

628 schtasks.exe
1436 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

572 PING.EXE

flow	ioc
2	ip-api.com

pid	pid_target	process	target process
2008	392	WerFault.exe	java.exe

pid	process
628	schtasks.exe
1436	schtasks.exe

pid	process
572	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exejava.exe

description	pid	process
Token: SeDebugPrivilege	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
Token: SeDebugPrivilege	392	java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

392 java.exe

pid	process
392	java.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exejava.execmd.exe

description	pid	process	target process
PID 956 wrote to memory of 628	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	schtasks.exe
PID 956 wrote to memory of 628	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	schtasks.exe
PID 956 wrote to memory of 628	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	schtasks.exe
PID 956 wrote to memory of 628	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	schtasks.exe
PID 956 wrote to memory of 392	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	java.exe
PID 956 wrote to memory of 392	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	java.exe
PID 956 wrote to memory of 392	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	java.exe
PID 956 wrote to memory of 392	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	java.exe
PID 956 wrote to memory of 392	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	java.exe
PID 956 wrote to memory of 392	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	java.exe
PID 956 wrote to memory of 392	956	4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe	java.exe
PID 392 wrote to memory of 1436	392	java.exe	schtasks.exe
PID 392 wrote to memory of 1436	392	java.exe	schtasks.exe
PID 392 wrote to memory of 1436	392	java.exe	schtasks.exe
PID 392 wrote to memory of 1436	392	java.exe	schtasks.exe
PID 392 wrote to memory of 1448	392	java.exe	cmd.exe
PID 392 wrote to memory of 1448	392	java.exe	cmd.exe
PID 392 wrote to memory of 1448	392	java.exe	cmd.exe
PID 392 wrote to memory of 1448	392	java.exe	cmd.exe
PID 1448 wrote to memory of 1548	1448	cmd.exe	chcp.com
PID 1448 wrote to memory of 1548	1448	cmd.exe	chcp.com
PID 392 wrote to memory of 2008	392	java.exe	WerFault.exe
PID 1448 wrote to memory of 1548	1448	cmd.exe	chcp.com
PID 1448 wrote to memory of 1548	1448	cmd.exe	chcp.com
PID 392 wrote to memory of 2008	392	java.exe	WerFault.exe
PID 392 wrote to memory of 2008	392	java.exe	WerFault.exe
PID 392 wrote to memory of 2008	392	java.exe	WerFault.exe
PID 1448 wrote to memory of 572	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 572	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 572	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 572	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1136	1448	cmd.exe	java.exe
PID 1448 wrote to memory of 1136	1448	cmd.exe	java.exe
PID 1448 wrote to memory of 1136	1448	cmd.exe	java.exe
PID 1448 wrote to memory of 1136	1448	cmd.exe	java.exe
PID 1448 wrote to memory of 1136	1448	cmd.exe	java.exe
PID 1448 wrote to memory of 1136	1448	cmd.exe	java.exe
PID 1448 wrote to memory of 1136	1448	cmd.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe
"C:\Users\Admin\AppData\Local\Temp\4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:628

C:\Users\Admin\AppData\Roaming\.minecraft\java.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\java.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\.minecraft\java.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aPG0S5sFRk5C.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:572

C:\Users\Admin\AppData\Roaming\.minecraft\java.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\java.exe"
4⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1480
3⤵
- Loads dropped DLL
- Program crash
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aPG0S5sFRk5C.bat
MD5
2b45e4851a6b38660be7598860437f2a

SHA1
5e4656b505f31660d64259cd55831e90fc1c3a9a

SHA256
90e495af705a70bf2f525f56c9a71cdfe5cda282da17de55f4ab0929ee0a5c41

SHA512
6dcbd5e75cbd20a91f62d9271c849560181b1e426fe869a085b20ad6271516a4c8a766682a639024545aeff2ffee6129621b271225dc3cfb6f588d81d1fe5785

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\java.exe
MD5
4e22eda5918426ccbc58319c13978906

SHA1
080d364b894ee591be92afa782db2ae93192bea9

SHA256
4a1bb7243d93faccacfdf4a5b329d31a176521857158e951132caadd8a84083f

SHA512
03cc56592add96ea7d3fc592308c4043558b17b55cbe520c5e24764fb489dabfdbe51910a59d537b795073cb1ed6b10a3b703b68bf4a24fcfa91b91c3c875901

Download Submit
memory/392-61-0x00000000008E0000-0x000000000093E000-memory.dmp

Filesize
376KB

Download
memory/392-58-0x0000000000000000-mapping.dmp

Download
memory/572-71-0x0000000000000000-mapping.dmp

Download
memory/628-56-0x0000000000000000-mapping.dmp

Download
memory/956-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/956-54-0x00000000008D0000-0x000000000092E000-memory.dmp

Filesize
376KB

Download
memory/1136-74-0x0000000000000000-mapping.dmp

Download
memory/1436-62-0x0000000000000000-mapping.dmp

Download
memory/1448-63-0x0000000000000000-mapping.dmp

Download
memory/1548-65-0x0000000000000000-mapping.dmp

Download
memory/2008-66-0x0000000000000000-mapping.dmp

Download