quasar | 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db

General

Target

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Size

2.2MB
MD5

faa3ca0d0141f9fe88188504bc3bac89
SHA1

edd03d0de17de2caef384daf792118cfdefc0fa8
SHA256

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db
SHA512

b5693333a3ae10dbf5707927d85ea8e96fbd668b822bd9a337b13df374957720db9c03e4d801d75244902f29a6bbb7dc882647f45fcd5ccf8d8d496307b85922

Score

10^/10

quasar alekfudd evasion persistence spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

AlekFudd

C2

52.188.202.106:8888

Mutex

9QxkaRC5yCiT4nYveU

Attributes

encryption_key
p22ObTAqvAaz7xZDWYTK
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Malwarebytes Corp.
subdirectory
SubDir

Signatures

Quasar Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-56-0x00000000011F0000-0x00000000017DA000-memory.dmp	family_quasar
behavioral1/memory/1068-57-0x00000000011F0000-0x00000000017DA000-memory.dmp	family_quasar
behavioral1/memory/1668-63-0x00000000011F0000-0x00000000017DA000-memory.dmp	family_quasar
behavioral1/memory/1668-64-0x00000000011F0000-0x00000000017DA000-memory.dmp	family_quasar
behavioral1/memory/1736-67-0x00000000011F0000-0x00000000017DA000-memory.dmp	family_quasar
behavioral1/memory/1736-68-0x00000000011F0000-0x00000000017DA000-memory.dmp	family_quasar
behavioral1/memory/1736-69-0x0000000076F70000-0x00000000770F0000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Corp. = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe\""	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

pid	process
1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
1668	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
1736	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2036 schtasks.exe
1108 schtasks.exe

pid	process
2036	schtasks.exe
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

pid	process
1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
1668	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
1736	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

description pid process

Token: SeDebugPrivilege 1068 6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

description	pid	process
Token: SeDebugPrivilege	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exetaskeng.exe

description	pid	process	target process
PID 1068 wrote to memory of 2036	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 1068 wrote to memory of 2036	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 1068 wrote to memory of 2036	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 1068 wrote to memory of 2036	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 1068 wrote to memory of 1108	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 1068 wrote to memory of 1108	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 1068 wrote to memory of 1108	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 1068 wrote to memory of 1108	1068	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe	schtasks.exe
PID 876 wrote to memory of 1668	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
PID 876 wrote to memory of 1668	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
PID 876 wrote to memory of 1668	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
PID 876 wrote to memory of 1668	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
PID 876 wrote to memory of 1736	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
PID 876 wrote to memory of 1736	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
PID 876 wrote to memory of 1736	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
PID 876 wrote to memory of 1736	876	taskeng.exe	6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe

C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
"C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Malwarebytes Corp." /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe" /sc MINUTE /MO 1
2⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\taskeng.exe
taskeng.exe {28ACA247-0FB0-4780-B073-50B58965687B} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
C:\Users\Admin\AppData\Local\Temp\6e9b01ab841c3b57bbdd4068ffed0f937bc370401b8cdcefc2dfa1dca130a9db.exe
2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-55-0x0000000076F70000-0x00000000770F0000-memory.dmp

Filesize
1.5MB

Download
memory/1068-56-0x00000000011F0000-0x00000000017DA000-memory.dmp

Filesize
5.9MB

Download
memory/1068-57-0x00000000011F0000-0x00000000017DA000-memory.dmp

Filesize
5.9MB

Download
memory/1068-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1108-59-0x0000000000000000-mapping.dmp

Download
memory/1668-60-0x0000000000000000-mapping.dmp

Download
memory/1668-62-0x0000000076F70000-0x00000000770F0000-memory.dmp

Filesize
1.5MB

Download
memory/1668-63-0x00000000011F0000-0x00000000017DA000-memory.dmp

Filesize
5.9MB

Download
memory/1668-64-0x00000000011F0000-0x00000000017DA000-memory.dmp

Filesize
5.9MB

Download
memory/1736-65-0x0000000000000000-mapping.dmp

Download
memory/1736-67-0x00000000011F0000-0x00000000017DA000-memory.dmp

Filesize
5.9MB

Download
memory/1736-68-0x00000000011F0000-0x00000000017DA000-memory.dmp

Filesize
5.9MB

Download
memory/1736-69-0x0000000076F70000-0x00000000770F0000-memory.dmp

Filesize
1.5MB

Download
memory/2036-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads