quasar | 5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094

General

Target

5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe
Size

9.0MB
MD5

987bb8bcc92a914d249989e8cca3b2e9
SHA1

d09cfc64e1e7b22eb99fcc77c35d0286dfa74d26
SHA256

5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094
SHA512

23d5356cfbbb8ad8e43e9d1a038f2c30a226fbb43b98bd1062317550bdee099aef51d1ede79781e449f8349b02bc1e67d604342995e89f03d8e3c4be061ea0bd

Score

10^/10

quasar business spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Business

C2

craft.ooguy.com:1981

Mutex

GpDg1xgoq8qb9M6Jp6

Attributes

encryption_key
bJJpHxbw80umglURXtYY
install_name
Client.exe
log_directory
4k
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1764-62-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 2 IoCs

Processes:

FoxitPhantomFoxitPhantom

pid process

748 FoxitPhantom
1588 FoxitPhantom
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
748	FoxitPhantom
1588	FoxitPhantom

flow	ioc
3	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exeFoxitPhantom

description	pid	process	target process
PID 1896 set thread context of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 748 set thread context of 1612	748	FoxitPhantom	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1900 1764 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1988 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1200 PING.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exeFoxitPhantom

pid process

1896 5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe
748 FoxitPhantom
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1764 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1764 RegAsm.exe

pid	pid_target	process	target process
1900	1764	WerFault.exe	RegAsm.exe

pid	process
1988	schtasks.exe

pid	process
1200	PING.EXE

pid	process
1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe
748	FoxitPhantom

description	pid	process
Token: SeDebugPrivilege	1764	RegAsm.exe

pid	process
1764	RegAsm.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exeRegAsm.execmd.exetaskeng.exeFoxitPhantomFoxitPhantom

description	pid	process	target process
PID 1896 wrote to memory of 1992	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1992	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1992	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1992	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1988	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1988	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1988	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1988	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	schtasks.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1896 wrote to memory of 1764	1896	5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe	RegAsm.exe
PID 1764 wrote to memory of 1480	1764	RegAsm.exe	cmd.exe
PID 1764 wrote to memory of 1480	1764	RegAsm.exe	cmd.exe
PID 1764 wrote to memory of 1480	1764	RegAsm.exe	cmd.exe
PID 1764 wrote to memory of 1480	1764	RegAsm.exe	cmd.exe
PID 1764 wrote to memory of 1900	1764	RegAsm.exe	WerFault.exe
PID 1764 wrote to memory of 1900	1764	RegAsm.exe	WerFault.exe
PID 1764 wrote to memory of 1900	1764	RegAsm.exe	WerFault.exe
PID 1764 wrote to memory of 1900	1764	RegAsm.exe	WerFault.exe
PID 1480 wrote to memory of 804	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 804	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 804	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 804	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 1200	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 1200	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 1200	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 1200	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 1368	1480	cmd.exe	RegAsm.exe
PID 1480 wrote to memory of 1368	1480	cmd.exe	RegAsm.exe
PID 1480 wrote to memory of 1368	1480	cmd.exe	RegAsm.exe
PID 1480 wrote to memory of 1368	1480	cmd.exe	RegAsm.exe
PID 1480 wrote to memory of 1368	1480	cmd.exe	RegAsm.exe
PID 1480 wrote to memory of 1368	1480	cmd.exe	RegAsm.exe
PID 1480 wrote to memory of 1368	1480	cmd.exe	RegAsm.exe
PID 1836 wrote to memory of 748	1836	taskeng.exe	FoxitPhantom
PID 1836 wrote to memory of 748	1836	taskeng.exe	FoxitPhantom
PID 1836 wrote to memory of 748	1836	taskeng.exe	FoxitPhantom
PID 1836 wrote to memory of 748	1836	taskeng.exe	FoxitPhantom
PID 748 wrote to memory of 1060	748	FoxitPhantom	schtasks.exe
PID 748 wrote to memory of 1060	748	FoxitPhantom	schtasks.exe
PID 748 wrote to memory of 1060	748	FoxitPhantom	schtasks.exe
PID 748 wrote to memory of 1060	748	FoxitPhantom	schtasks.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 748 wrote to memory of 1612	748	FoxitPhantom	RegAsm.exe
PID 1836 wrote to memory of 1588	1836	taskeng.exe	FoxitPhantom
PID 1836 wrote to memory of 1588	1836	taskeng.exe	FoxitPhantom
PID 1836 wrote to memory of 1588	1836	taskeng.exe	FoxitPhantom
PID 1836 wrote to memory of 1588	1836	taskeng.exe	FoxitPhantom
PID 1588 wrote to memory of 1736	1588	FoxitPhantom	schtasks.exe
PID 1588 wrote to memory of 1736	1588	FoxitPhantom	schtasks.exe
PID 1588 wrote to memory of 1736	1588	FoxitPhantom	schtasks.exe
PID 1588 wrote to memory of 1736	1588	FoxitPhantom	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe
"C:\Users\Admin\AppData\Local\Temp\5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
2⤵
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc MINUTE /tn FoxitPhantomPDF /MO 1 /tr C:\Users\Admin\AppData\Roaming\FoxitPhantom
2⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dBR0ZGr9Swsb.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:804

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1512
3⤵
- Program crash
PID:1900

C:\Windows\system32\taskeng.exe
taskeng.exe {FB47E086-E0E0-4AF0-975C-69E7D3CE0B55} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Roaming\FoxitPhantom
C:\Users\Admin\AppData\Roaming\FoxitPhantom
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
3⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1612

C:\Users\Admin\AppData\Roaming\FoxitPhantom
C:\Users\Admin\AppData\Roaming\FoxitPhantom
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
3⤵
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dBR0ZGr9Swsb.bat
Filesize
215B

MD5
c7a32209b4a3ec4863a1a781daa1a6f4

SHA1
2dbf9ddc87670fd6c4bfdb2d255ecf76a8723538

SHA256
31c31c549f0d3cd35e43ef170fdea7dc430ce81bacd23b71c014f8ccc167184d

SHA512
fe9edab4ac78b904017a11f81383544719dd39722daba38ad256a7a475a09f39be4c59f4ad474c4fd1f6b989d2a5534b112230a81ef08cd493d068df3d0cd91c

Download Submit
C:\Users\Admin\AppData\Roaming\FoxitPhantom
Filesize
9.0MB

MD5
987bb8bcc92a914d249989e8cca3b2e9

SHA1
d09cfc64e1e7b22eb99fcc77c35d0286dfa74d26

SHA256
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094

SHA512
23d5356cfbbb8ad8e43e9d1a038f2c30a226fbb43b98bd1062317550bdee099aef51d1ede79781e449f8349b02bc1e67d604342995e89f03d8e3c4be061ea0bd

Download Submit
C:\Users\Admin\AppData\Roaming\FoxitPhantom
Filesize
9.0MB

MD5
987bb8bcc92a914d249989e8cca3b2e9

SHA1
d09cfc64e1e7b22eb99fcc77c35d0286dfa74d26

SHA256
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094

SHA512
23d5356cfbbb8ad8e43e9d1a038f2c30a226fbb43b98bd1062317550bdee099aef51d1ede79781e449f8349b02bc1e67d604342995e89f03d8e3c4be061ea0bd

Download Submit
C:\Users\Admin\AppData\Roaming\FoxitPhantom
Filesize
9.0MB

MD5
987bb8bcc92a914d249989e8cca3b2e9

SHA1
d09cfc64e1e7b22eb99fcc77c35d0286dfa74d26

SHA256
5dd3a4cd00a5c5ce6335975b1541a39067f8c34f407202d7d631214bbfe47094

SHA512
23d5356cfbbb8ad8e43e9d1a038f2c30a226fbb43b98bd1062317550bdee099aef51d1ede79781e449f8349b02bc1e67d604342995e89f03d8e3c4be061ea0bd

Download Submit
memory/748-74-0x0000000000C30000-0x0000000001534000-memory.dmp

Filesize
9.0MB

Download
memory/748-72-0x0000000000000000-mapping.dmp

Download
memory/804-66-0x0000000000000000-mapping.dmp

Download
memory/1060-76-0x0000000000000000-mapping.dmp

Download
memory/1200-67-0x0000000000000000-mapping.dmp

Download
memory/1368-68-0x0000000000000000-mapping.dmp

Download
memory/1368-70-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1480-63-0x0000000000000000-mapping.dmp

Download
memory/1588-79-0x0000000000000000-mapping.dmp

Download
memory/1588-81-0x0000000000360000-0x0000000000C64000-memory.dmp

Filesize
9.0MB

Download
memory/1612-77-0x00000000004581EE-mapping.dmp

Download
memory/1736-83-0x0000000000000000-mapping.dmp

Download
memory/1764-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1764-59-0x00000000004581EE-mapping.dmp

Download
memory/1896-54-0x0000000000A40000-0x0000000001344000-memory.dmp

Filesize
9.0MB

Download
memory/1896-60-0x0000000000570000-0x0000000000573000-memory.dmp

Filesize
12KB

Download
memory/1896-56-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1896-55-0x0000000005610000-0x0000000005674000-memory.dmp

Filesize
400KB

Download
memory/1900-64-0x0000000000000000-mapping.dmp

Download
memory/1988-58-0x0000000000000000-mapping.dmp

Download
memory/1992-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads