quasar | 55e326edd8ef12202de73dbc00c036fc01b17e808b3553080279f49946800eb3

Analysis

max time kernel
170s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

teamredminer-v0.3.4-win/teamredminer.exe
Size

6.7MB
MD5

cce80dbe14de96ca15817477b0ac8c03
SHA1

1824ea8e2d15183458e03d40605a097d32565f64
SHA256

f83e0cb2498d6a7044809bf234e29208b193022b2485a0695f2671e061a7272e
SHA512

d52713b297741a8f15092819b3a8f3e56651ce41ef86f29b484c0f9d4536b8b6cf763f88069a030f9a4995f2e2b8040a0c7a50e90c049483bc68933798219635

Score

10^/10

quasar dendi spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

dendi

185.244.217.92:4782

Mutex

QSR_MUTEX_LTcjNqRb6NS57npmpd

Attributes

encryption_key
YaVqqMF3gVTZOI5Xevop
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 3 IoCs

Processes:

resource	yara_rule
behavioral5/memory/2028-256-0x0000000000400000-0x0000000000836000-memory.dmp	family_quasar
behavioral5/memory/2028-257-0x0000000000400000-0x0000000000836000-memory.dmp	family_quasar
behavioral5/memory/2028-259-0x0000000000400000-0x000000000082C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Executes dropped EXE 3 IoCs

Processes:

cmd.exeschtasks.exesvchost.exe

pid process

1604 cmd.exe
804 schtasks.exe
2028 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

teamredminer.execmd.exe

pid process

1700 teamredminer.exe
1700 teamredminer.exe
1604 cmd.exe

pid	process
1604	cmd.exe
804	schtasks.exe
2028	svchost.exe

pid	process
1700	teamredminer.exe
1700	teamredminer.exe
1604	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\modified\@SYSWOW64@\rat.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

svchost.exe

pid process

2028 svchost.exe
2028 svchost.exe
2028 svchost.exe
2028 svchost.exe
2028 svchost.exe
2028 svchost.exe

pid	process
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

teamredminer.execmd.exeschtasks.exesvchost.exe

description	pid	process
Token: 33	1700	teamredminer.exe
Token: SeIncBasePriorityPrivilege	1700	teamredminer.exe
Token: 33	1604	cmd.exe
Token: SeIncBasePriorityPrivilege	1604	cmd.exe
Token: 33	804	schtasks.exe
Token: SeIncBasePriorityPrivilege	804	schtasks.exe
Token: 33	2028	svchost.exe
Token: SeIncBasePriorityPrivilege	2028	svchost.exe
Token: 33	2028	svchost.exe
Token: SeIncBasePriorityPrivilege	2028	svchost.exe
Token: SeDebugPrivilege	2028	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2028 svchost.exe
Suspicious use of UnmapMainImage 4 IoCs

Processes:

teamredminer.execmd.exeschtasks.exesvchost.exe

pid process

1700 teamredminer.exe
1604 cmd.exe
804 schtasks.exe
2028 svchost.exe

pid	process
2028	svchost.exe

pid	process
1700	teamredminer.exe
1604	cmd.exe
804	schtasks.exe
2028	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

teamredminer.execmd.exetaskeng.exe

description	pid	process	target process
PID 1700 wrote to memory of 1604	1700	teamredminer.exe	cmd.exe
PID 1700 wrote to memory of 1604	1700	teamredminer.exe	cmd.exe
PID 1700 wrote to memory of 1604	1700	teamredminer.exe	cmd.exe
PID 1700 wrote to memory of 1604	1700	teamredminer.exe	cmd.exe
PID 1700 wrote to memory of 1604	1700	teamredminer.exe	cmd.exe
PID 1700 wrote to memory of 1604	1700	teamredminer.exe	cmd.exe
PID 1700 wrote to memory of 1604	1700	teamredminer.exe	cmd.exe
PID 1604 wrote to memory of 804	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 804	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 804	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 804	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 804	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 804	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 804	1604	cmd.exe	schtasks.exe
PID 1096 wrote to memory of 2028	1096	taskeng.exe	svchost.exe
PID 1096 wrote to memory of 2028	1096	taskeng.exe	svchost.exe
PID 1096 wrote to memory of 2028	1096	taskeng.exe	svchost.exe
PID 1096 wrote to memory of 2028	1096	taskeng.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\teamredminer-v0.3.4-win\teamredminer.exe
"C:\Users\Admin\AppData\Local\Temp\teamredminer-v0.3.4-win\teamredminer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0x9C9723AAC2730F7F\cmd.exe
"C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0x9C9723AAC2730F7F\cmd.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0xDE1A80E194AEAC9E\schtasks.exe
"C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0xDE1A80E194AEAC9E\schtasks.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:804

C:\Windows\system32\taskeng.exe
taskeng.exe {7CE88561-0AE7-4FA9-9420-906AE6C79871} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:2028

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0x9C9723AAC2730F7F\cmd.exe
Filesize
27KB

MD5
bb1b1f32ac085f55a363a55d8176595a

SHA1
87ef56d60592dfd59fa96d50080e7b3394b8deeb

SHA256
edebee8ac2202cc7f815bfb3aea2680542b21e32683461acb6187eba271f01ed

SHA512
4a9c685841f3dc9893b9fa5924ddca48dcdb6b05a6a64ab13e9e4fca3c55c66fff1df8464ce292aebb640052deec15679ffc39660b8a391404d392f67adf7d10

Download Submit
C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0xDE1A80E194AEAC9E\schtasks.exe
Filesize
27KB

MD5
bb1b1f32ac085f55a363a55d8176595a

SHA1
87ef56d60592dfd59fa96d50080e7b3394b8deeb

SHA256
edebee8ac2202cc7f815bfb3aea2680542b21e32683461acb6187eba271f01ed

SHA512
4a9c685841f3dc9893b9fa5924ddca48dcdb6b05a6a64ab13e9e4fca3c55c66fff1df8464ce292aebb640052deec15679ffc39660b8a391404d392f67adf7d10

Download Submit
C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0xDE1A80E194AEAC9E\schtasks.exe
Filesize
27KB

MD5
bb1b1f32ac085f55a363a55d8176595a

SHA1
87ef56d60592dfd59fa96d50080e7b3394b8deeb

SHA256
edebee8ac2202cc7f815bfb3aea2680542b21e32683461acb6187eba271f01ed

SHA512
4a9c685841f3dc9893b9fa5924ddca48dcdb6b05a6a64ab13e9e4fca3c55c66fff1df8464ce292aebb640052deec15679ffc39660b8a391404d392f67adf7d10

Download Submit
C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0xDE1A80E194AEAC9E\schtasks.exe.manifest
Filesize
885B

MD5
879025f0a2539beda0c48c868f570d59

SHA1
aa4369784a9d1d6579aad5bdfff408bac0026da4

SHA256
a52240fa90711da530b5b896a557eaf50ff02d7ea86bb95799816cc713c8c1e4

SHA512
3378b2b35e248d8daf3fd0b6b0d17f613f02b4b925fc2e3f3b1885c21f0fae2a8bd577127c83abbbd6029d3b8e25d8d407887b9744c790e458ed960fbb7d39b0

Download Submit
C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\xsandbox.bin
Filesize
16B

MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
4.2MB

MD5
d0d44a87f90f5794da09941f00aef6bb

SHA1
b683f5707b4c987c533e23c32961ae0b48d9c9b3

SHA256
4aff99a44b112f324fc5fa31d3d918811dda7e0548c50b42e9e4f7fa03000b2f

SHA512
01d85b73dea8b257fba3a711519df51846130528a1edebc5a10f36d9324b85de07a8e1f66367b979fc3cb0b167c959c5764033e85d1b77fe808f69a38805b6e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
4.2MB

MD5
d0d44a87f90f5794da09941f00aef6bb

SHA1
b683f5707b4c987c533e23c32961ae0b48d9c9b3

SHA256
4aff99a44b112f324fc5fa31d3d918811dda7e0548c50b42e9e4f7fa03000b2f

SHA512
01d85b73dea8b257fba3a711519df51846130528a1edebc5a10f36d9324b85de07a8e1f66367b979fc3cb0b167c959c5764033e85d1b77fe808f69a38805b6e7

Download Submit
\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\modified\@SYSWOW64@\rat.exe
Filesize
4.9MB

MD5
0d46a5e73dc74ebc14753f25796be25d

SHA1
ce737d3ce162912f5a0d8b13db022595b36b889c

SHA256
1e1635f254c180f6c7205444a14251a8dfb299f872b70bd41c69db711c349c15

SHA512
e00e107d9f194eadaa2d383b634a3a580ba43400909643bcfa5c41e069ff21f8a4f0101c3a311e11485dc4bd132463dfc555dc45fc0917ab8fb9be8e6ec47e33

Download Submit
\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0x9C9723AAC2730F7F\cmd.exe
Filesize
27KB

MD5
bb1b1f32ac085f55a363a55d8176595a

SHA1
87ef56d60592dfd59fa96d50080e7b3394b8deeb

SHA256
edebee8ac2202cc7f815bfb3aea2680542b21e32683461acb6187eba271f01ed

SHA512
4a9c685841f3dc9893b9fa5924ddca48dcdb6b05a6a64ab13e9e4fca3c55c66fff1df8464ce292aebb640052deec15679ffc39660b8a391404d392f67adf7d10

Download Submit
\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\stubexe\0xDE1A80E194AEAC9E\schtasks.exe
Filesize
27KB

MD5
bb1b1f32ac085f55a363a55d8176595a

SHA1
87ef56d60592dfd59fa96d50080e7b3394b8deeb

SHA256
edebee8ac2202cc7f815bfb3aea2680542b21e32683461acb6187eba271f01ed

SHA512
4a9c685841f3dc9893b9fa5924ddca48dcdb6b05a6a64ab13e9e4fca3c55c66fff1df8464ce292aebb640052deec15679ffc39660b8a391404d392f67adf7d10

Download Submit
memory/804-174-0x0000000001980000-0x0000000001CCA000-memory.dmp

Filesize
3.3MB

Download
memory/804-176-0x0000000075B50000-0x0000000075C60000-memory.dmp

Filesize
1.1MB

Download
memory/804-170-0x0000000000000000-mapping.dmp

Download
memory/804-215-0x0000000075B50000-0x0000000075C60000-memory.dmp

Filesize
1.1MB

Download
memory/1604-172-0x0000000075B50000-0x0000000075C60000-memory.dmp

Filesize
1.1MB

Download
memory/1604-169-0x00000000019A0000-0x0000000001CEA000-memory.dmp

Filesize
3.3MB

Download
memory/1604-178-0x0000000075B50000-0x0000000075C60000-memory.dmp

Filesize
1.1MB

Download
memory/1604-146-0x0000000000000000-mapping.dmp

Download
memory/1604-152-0x00000000019A0000-0x0000000001CEA000-memory.dmp

Filesize
3.3MB

Download
memory/1604-153-0x00000000019A0000-0x0000000001CEA000-memory.dmp

Filesize
3.3MB

Download
memory/1604-155-0x00000000019A0000-0x0000000001CEA000-memory.dmp

Filesize
3.3MB

Download
memory/1604-154-0x00000000019A0000-0x0000000001CEA000-memory.dmp

Filesize
3.3MB

Download
memory/1604-151-0x00000000019A0000-0x0000000001CEA000-memory.dmp

Filesize
3.3MB

Download
memory/1700-85-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-101-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-81-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-80-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-88-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-92-0x0000000074EF0000-0x0000000074F02000-memory.dmp

Filesize
72KB

Download
memory/1700-91-0x0000000074EF0000-0x0000000074F02000-memory.dmp

Filesize
72KB

Download
memory/1700-90-0x0000000074EF0000-0x0000000074F02000-memory.dmp

Filesize
72KB

Download
memory/1700-97-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-105-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-108-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-117-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-116-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-134-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-138-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-136-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-144-0x0000000075B50000-0x0000000075C60000-memory.dmp

Filesize
1.1MB

Download
memory/1700-137-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-135-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-133-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-132-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-131-0x0000000075740000-0x00000000757BB000-memory.dmp

Filesize
492KB

Download
memory/1700-115-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-114-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-113-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-112-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-111-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-110-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-109-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-107-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-106-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-104-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-103-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-84-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-102-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-100-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-98-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-99-0x0000000074ED0000-0x0000000074EE7000-memory.dmp

Filesize
92KB

Download
memory/1700-87-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-55-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-86-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-83-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-82-0x0000000074F10000-0x00000000750AE000-memory.dmp

Filesize
1.6MB

Download
memory/1700-74-0x00000000750B0000-0x00000000750E2000-memory.dmp

Filesize
200KB

Download
memory/1700-75-0x00000000750B0000-0x00000000750E2000-memory.dmp

Filesize
200KB

Download
memory/1700-76-0x00000000750B0000-0x00000000750E2000-memory.dmp

Filesize
200KB

Download
memory/1700-78-0x00000000750B0000-0x00000000750E2000-memory.dmp

Filesize
200KB

Download
memory/1700-77-0x00000000750B0000-0x00000000750E2000-memory.dmp

Filesize
200KB

Download
memory/1700-68-0x0000000000BC0000-0x0000000000F05000-memory.dmp

Filesize
3.3MB

Download
memory/1700-67-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-65-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-62-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-64-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-63-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-60-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-61-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-59-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-58-0x0000000000F10000-0x000000000125A000-memory.dmp

Filesize
3.3MB

Download
memory/1700-57-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1700-56-0x0000000075B50000-0x0000000075C60000-memory.dmp

Filesize
1.1MB

Download
memory/2028-219-0x0000000000000000-mapping.dmp

Download
memory/2028-251-0x0000000000CE0000-0x000000000102A000-memory.dmp

Filesize
3.3MB

Download
memory/2028-252-0x0000000075B50000-0x0000000075C60000-memory.dmp

Filesize
1.1MB

Download
memory/2028-255-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/2028-256-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/2028-257-0x0000000000400000-0x0000000000836000-memory.dmp

Filesize
4.2MB

Download
memory/2028-259-0x0000000000400000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads