quasar | 30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668

General

Target

30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
Size

502KB
MD5

e2a90c3e125ae445d0763f4caa47381b
SHA1

e53c0be113b08a33afadad940ed31f9843bfa5b7
SHA256

30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668
SHA512

af9c0026f44bdfe8c4f4ed37dfbe5fdfe4fb66652b79459539e7459f822b256dd1c50bee317ea7b37ad583e91cc9603bb9916b2ffa2ce8b941d53ac959ed6c95

Score

10^/10

quasar 1 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

1

C2

dlldns.duckdns.org:20000

whoru222.xyz:20000

whereami3.xyz:20000

letmerat.xyz:20000

selfdestructdns.xyz:20000

wtfimrich666.xyz:20000

p2x4y.xyz:21000

howmanytimes3.xyz:21000

ceeloblack.xyz:21000

thanksfam.xyz:21000

Mutex

2e3c0776-66f3-4050-b059-b831e335e235

Attributes

encryption_key
67DFA5AFA3111DA4B8B545C503A131C3C3D1E34C
install_name
WinUpdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WinUpdater
subdirectory
WinUpdater

Signatures

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3520-130-0x00000000003B0000-0x0000000000434000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1216 PING.EXE
5064 PING.EXE
4616 PING.EXE

pid	process
1216	PING.EXE
5064	PING.EXE
4616	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe

description	pid	process
Token: SeDebugPrivilege	3520	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
Token: SeDebugPrivilege	3152	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
Token: SeDebugPrivilege	1812	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
Token: SeDebugPrivilege	4296	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe

pid	process
3520	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
3152	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
1812	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
4296	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.execmd.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.execmd.exe30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.execmd.exe

description	pid	process	target process
PID 3520 wrote to memory of 2188	3520	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe	cmd.exe
PID 3520 wrote to memory of 2188	3520	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe	cmd.exe
PID 2188 wrote to memory of 640	2188	cmd.exe	chcp.com
PID 2188 wrote to memory of 640	2188	cmd.exe	chcp.com
PID 2188 wrote to memory of 4616	2188	cmd.exe	PING.EXE
PID 2188 wrote to memory of 4616	2188	cmd.exe	PING.EXE
PID 2188 wrote to memory of 3152	2188	cmd.exe	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
PID 2188 wrote to memory of 3152	2188	cmd.exe	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
PID 3152 wrote to memory of 3664	3152	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe	cmd.exe
PID 3152 wrote to memory of 3664	3152	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe	cmd.exe
PID 3664 wrote to memory of 1980	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 1980	3664	cmd.exe	chcp.com
PID 3664 wrote to memory of 1216	3664	cmd.exe	PING.EXE
PID 3664 wrote to memory of 1216	3664	cmd.exe	PING.EXE
PID 3664 wrote to memory of 1812	3664	cmd.exe	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
PID 3664 wrote to memory of 1812	3664	cmd.exe	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
PID 1812 wrote to memory of 4632	1812	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe	cmd.exe
PID 1812 wrote to memory of 4632	1812	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe	cmd.exe
PID 4632 wrote to memory of 2016	4632	cmd.exe	chcp.com
PID 4632 wrote to memory of 2016	4632	cmd.exe	chcp.com
PID 4632 wrote to memory of 5064	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 5064	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4296	4632	cmd.exe	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
PID 4632 wrote to memory of 4296	4632	cmd.exe	30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe

C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
"C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGA4GOYECshX.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:640

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:4616

C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
"C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o5YuNyfb34GY.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1980

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1216

C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
"C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1gykQQ3uj9q6.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:2016

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:5064

C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe
"C:\Users\Admin\AppData\Local\Temp\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\30d1d838112df9d0a9b75c96906dc14e1a36bd279802e10bcbc41b674ab6c668.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1gykQQ3uj9q6.bat
Filesize
261B

MD5
e705375231299dce6e0964c5a2ed87fd

SHA1
d1a1ae3ec3c959b16648a4dd0d79c294644e42dd

SHA256
cb885ca43843102e2c22b316f4f4fbc5f47ed366582755ea1d108627a1c7c57b

SHA512
0c31188fd1f7ed53864c0da61e336267dc3776cd6e4467dbc85af3c88a64dcf694d36a4fab7729c76a3326a318a3e77c355393d26cda5c4504297cff6a86f1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGA4GOYECshX.bat
Filesize
261B

MD5
4f669747f59a61e8c86e2a5cb8cbadc3

SHA1
f542281345cfb4c22eea9bd249384cbd77b00ed5

SHA256
92a230f8ce4914d2fc64a560c06da4b378f6d088b3aaaa2a08d1075a24be178d

SHA512
755939ccf0ec3cb021842a99392b2e3834e6a24d9820f5196e498d18eb904ec7f4bf146f7e153cfb56423f6a42686e1c9ae0d41d97bb9b4b3268551ef76a398a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5YuNyfb34GY.bat
Filesize
261B

MD5
2cde9196532b0bcc02bba50095628093

SHA1
90405418f063f832338a4f40ed67a9a4eb2a0861

SHA256
52b5d256e90bf037066a67e506b3dffe5c6b535ae81391d47170fdddea876665

SHA512
4ca318b9e473d35929db94ffb96f31b30b55581eaaee8e13d3b507739035cab5c895596eca6c11e4bad3c8d0781038da545aecb6bc52a1594c97b644c20570ba

Download Submit
memory/640-136-0x0000000000000000-mapping.dmp

Download
memory/1216-144-0x0000000000000000-mapping.dmp

Download
memory/1812-145-0x0000000000000000-mapping.dmp

Download
memory/1812-146-0x00007FFDC5C60000-0x00007FFDC6721000-memory.dmp

Filesize
10.8MB

Download
memory/1980-143-0x0000000000000000-mapping.dmp

Download
memory/2016-149-0x0000000000000000-mapping.dmp

Download
memory/2188-134-0x0000000000000000-mapping.dmp

Download
memory/3152-138-0x0000000000000000-mapping.dmp

Download
memory/3152-140-0x00007FFDC6AE0000-0x00007FFDC75A1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-130-0x00000000003B0000-0x0000000000434000-memory.dmp

Filesize
528KB

Download
memory/3520-132-0x000000001AEE0000-0x000000001AF30000-memory.dmp

Filesize
320KB

Download
memory/3520-133-0x000000001C170000-0x000000001C222000-memory.dmp

Filesize
712KB

Download
memory/3520-131-0x00007FFDC6B90000-0x00007FFDC7651000-memory.dmp

Filesize
10.8MB

Download
memory/3664-141-0x0000000000000000-mapping.dmp

Download
memory/4296-151-0x0000000000000000-mapping.dmp

Download
memory/4296-152-0x00007FFDC5C60000-0x00007FFDC6721000-memory.dmp

Filesize
10.8MB

Download
memory/4616-137-0x0000000000000000-mapping.dmp

Download
memory/4632-147-0x0000000000000000-mapping.dmp

Download
memory/5064-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads