quasar | 75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0

General

Target

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
Size

430KB
MD5

0b4a3956c5776695047b654f3cb9aa41
SHA1

c1e273e4a064c60072a6b4ddf8a824b5e3e15f8f
SHA256

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0
SHA512

3fd501a621944aef7040d558921f6dacc95a61d00e0fe485fa1d2493a1f0c0dc7a46049e38c125b1b583c25ce3297851e9e88e714440cc28187ce86eba2172fc

Score

10^/10

quasar raz spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Raz

C2

tornoob.me:900

Mutex

QSR_MUTEX_d1O3bbvoVmFYPAM7rt

Attributes

encryption_key
T288HhNTvZ5ItWMC1F2I
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4200-154-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com

flow	ioc
19	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

description	pid	process	target process
PID 4712 set thread context of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3600 timeout.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings powershell.exe

pid	process
3600	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exepowershell.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

pid	process
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
60	powershell.exe
60	powershell.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

WScript.exe

pid process

2272 WScript.exe

pid	process
2272	WScript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exepowershell.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

description	pid	process
Token: SeDebugPrivilege	2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
Token: SeDebugPrivilege	4200	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.execmd.exepowershell.exe75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

description	pid	process	target process
PID 2684 wrote to memory of 4072	2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	cmd.exe
PID 2684 wrote to memory of 4072	2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	cmd.exe
PID 2684 wrote to memory of 4072	2684	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	cmd.exe
PID 4072 wrote to memory of 3600	4072	cmd.exe	timeout.exe
PID 4072 wrote to memory of 3600	4072	cmd.exe	timeout.exe
PID 4072 wrote to memory of 3600	4072	cmd.exe	timeout.exe
PID 4072 wrote to memory of 60	4072	cmd.exe	powershell.exe
PID 4072 wrote to memory of 60	4072	cmd.exe	powershell.exe
PID 4072 wrote to memory of 60	4072	cmd.exe	powershell.exe
PID 60 wrote to memory of 2272	60	powershell.exe	WScript.exe
PID 60 wrote to memory of 2272	60	powershell.exe	WScript.exe
PID 60 wrote to memory of 2272	60	powershell.exe	WScript.exe
PID 60 wrote to memory of 4712	60	powershell.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 60 wrote to memory of 4712	60	powershell.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 60 wrote to memory of 4712	60	powershell.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 3644	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 3644	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 3644	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
PID 4712 wrote to memory of 4200	4712	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe	75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe

C:\Users\Admin\AppData\Local\Temp\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
"C:\Users\Admin\AppData\Local\Temp\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\A.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe'
2⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:3600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\A.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe'
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A.js"
4⤵
- Suspicious behavior: RenamesItself
PID:2272

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe"
5⤵
PID:3644

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75431a6683fad5d34da65ac5bf4f79dbeeb1be402bd5010d4b8ed4e2a2145ef0.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A.js
Filesize
346B

MD5
7405b8cdaa4b015d7ac2c77191b675cd

SHA1
872a3a3b97ae76fe1556c1da9a55a40e4af9bb70

SHA256
b9de75b6da4c78188585e316b8390c01ae6bb89e61171f6f0255965c2ffec365

SHA512
f238f52f97e286da48718c68e3b44f2c8c40274d426c4564dbb26bd21b3f7d913ab9505d5955136be7738634aad4ebd7f2cb3682a66dc59f0abe8623c2c02baa

Download Submit
memory/60-142-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/60-150-0x0000000008690000-0x0000000008D0A000-memory.dmp

Filesize
6.5MB

Download
memory/60-144-0x0000000006830000-0x00000000068C6000-memory.dmp

Filesize
600KB

Download
memory/60-145-0x00000000067B0000-0x00000000067CA000-memory.dmp

Filesize
104KB

Download
memory/60-143-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/60-147-0x0000000002AB5000-0x0000000002AB7000-memory.dmp

Filesize
8KB

Download
memory/60-146-0x0000000006800000-0x0000000006822000-memory.dmp

Filesize
136KB

Download
memory/60-138-0x0000000000000000-mapping.dmp

Download
memory/60-139-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/60-140-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/60-141-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/2272-149-0x0000000000000000-mapping.dmp

Download
memory/2684-135-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/2684-133-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/2684-130-0x00000000005A0000-0x0000000000612000-memory.dmp

Filesize
456KB

Download
memory/2684-131-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/2684-134-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/2684-132-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/3600-137-0x0000000000000000-mapping.dmp

Download
memory/3644-152-0x0000000000000000-mapping.dmp

Download
memory/4072-136-0x0000000000000000-mapping.dmp

Download
memory/4200-153-0x0000000000000000-mapping.dmp

Download
memory/4200-154-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4200-155-0x0000000006790000-0x00000000067A2000-memory.dmp

Filesize
72KB

Download
memory/4200-156-0x0000000006D00000-0x0000000006D3C000-memory.dmp

Filesize
240KB

Download
memory/4712-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads