quasar | 75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0

General

Target

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
Size

430KB
MD5

0b4a3956c5776695047b654f3cb9aa41
SHA1

c1e273e4a064c60072a6b4ddf8a824b5e3e15f8f
SHA256

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0
SHA512

3fd501a621944aef7040d558921f6dacc95a61d00e0fe485fa1d2493a1f0c0dc7a46049e38c125b1b583c25ce3297851e9e88e714440cc28187ce86eba2172fc

Score

10^/10

quasar raz spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Raz

C2

tornoob.me:900

Mutex

QSR_MUTEX_d1O3bbvoVmFYPAM7rt

Attributes

encryption_key
T288HhNTvZ5ItWMC1F2I
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/900-72-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/900-73-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/900-74-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/900-75-0x000000000045819E-mapping.dmp	family_quasar
behavioral1/memory/900-77-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/900-79-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Beds Protector Packer 2 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/960-56-0x0000000000710000-0x0000000000774000-memory.dmp	beds_protector
behavioral1/memory/1552-68-0x0000000000AB0000-0x0000000000B14000-memory.dmp	beds_protector

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

description	pid	process	target process
PID 1552 set thread context of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1068 timeout.exe

pid	process
1068	timeout.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exepowershell.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

pid	process
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

WScript.exe

pid process

472 WScript.exe

pid	process
472	WScript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exepowershell.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

description	pid	process
Token: SeDebugPrivilege	960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
Token: SeDebugPrivilege	900	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.execmd.exepowershell.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

description	pid	process	target process
PID 960 wrote to memory of 1124	960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	cmd.exe
PID 960 wrote to memory of 1124	960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	cmd.exe
PID 960 wrote to memory of 1124	960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	cmd.exe
PID 960 wrote to memory of 1124	960	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	cmd.exe
PID 1124 wrote to memory of 1068	1124	cmd.exe	timeout.exe
PID 1124 wrote to memory of 1068	1124	cmd.exe	timeout.exe
PID 1124 wrote to memory of 1068	1124	cmd.exe	timeout.exe
PID 1124 wrote to memory of 1068	1124	cmd.exe	timeout.exe
PID 1124 wrote to memory of 1120	1124	cmd.exe	powershell.exe
PID 1124 wrote to memory of 1120	1124	cmd.exe	powershell.exe
PID 1124 wrote to memory of 1120	1124	cmd.exe	powershell.exe
PID 1124 wrote to memory of 1120	1124	cmd.exe	powershell.exe
PID 1120 wrote to memory of 472	1120	powershell.exe	WScript.exe
PID 1120 wrote to memory of 472	1120	powershell.exe	WScript.exe
PID 1120 wrote to memory of 472	1120	powershell.exe	WScript.exe
PID 1120 wrote to memory of 472	1120	powershell.exe	WScript.exe
PID 1120 wrote to memory of 1552	1120	powershell.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1120 wrote to memory of 1552	1120	powershell.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1120 wrote to memory of 1552	1120	powershell.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1120 wrote to memory of 1552	1120	powershell.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 1552 wrote to memory of 900	1552	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

C:\Users\Admin\AppData\Local\Temp\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
"C:\Users\Admin\AppData\Local\Temp\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\A.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe'
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:1068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\A.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A.js"
4⤵
- Suspicious behavior: RenamesItself
PID:472

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A.js
Filesize
346B

MD5
7405b8cdaa4b015d7ac2c77191b675cd

SHA1
872a3a3b97ae76fe1556c1da9a55a40e4af9bb70

SHA256
b9de75b6da4c78188585e316b8390c01ae6bb89e61171f6f0255965c2ffec365

SHA512
f238f52f97e286da48718c68e3b44f2c8c40274d426c4564dbb26bd21b3f7d913ab9505d5955136be7738634aad4ebd7f2cb3682a66dc59f0abe8623c2c02baa

Download Submit
memory/472-63-0x0000000000000000-mapping.dmp

Download
memory/900-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/900-79-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/900-72-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/900-75-0x000000000045819E-mapping.dmp

Download
memory/900-74-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/900-73-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/900-69-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/900-70-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-54-0x0000000000D60000-0x0000000000DD2000-memory.dmp

Filesize
456KB

Download
memory/960-56-0x0000000000710000-0x0000000000774000-memory.dmp

Filesize
400KB

Download
memory/960-55-0x0000000076571000-0x0000000076573000-memory.dmp

Filesize
8KB

Download
memory/1068-58-0x0000000000000000-mapping.dmp

Download
memory/1120-59-0x0000000000000000-mapping.dmp

Download
memory/1120-61-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1124-57-0x0000000000000000-mapping.dmp

Download
memory/1552-68-0x0000000000AB0000-0x0000000000B14000-memory.dmp

Filesize
400KB

Download
memory/1552-66-0x0000000000E00000-0x0000000000E72000-memory.dmp

Filesize
456KB

Download
memory/1552-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads