quasar | 1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746

Analysis

max time kernel
150s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07/06/2022, 19:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe
Size

1.3MB
MD5

3522dc4a208a91f7042864ce15bc1398
SHA1

0d29e13a249fa713570418d5e1b306e59f4c7ea5
SHA256

1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746
SHA512

a2559e23bdf8791bd570842e70836319978214944c62065dc8ef67125ccd12ee37d9a82939fc8c62b8ec2913c993e0abf231c5f7e539e5bf2df6501ec4d99602

Score

10^/10

quasar za za za za za zaza za za za za za persistence spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

ZA ZA ZA ZA ZA ZAZA ZA ZA ZA ZA ZA

94.242.224.249:222

Mutex

XxAa8FrSbGrHTm2bMoPtlPlHQKoAB4XGedNm

Attributes

encryption_key
Sj0W6u9cP4lwm6yCywzP
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3548-145-0x0000000000B00000-0x0000000000B4E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 3 IoCs

pid	Process
4396	Indicibile.com
1104	Indicibile.com
3548	RegAsm.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uNNTjIpEly.url	Indicibile.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 3548	1104	Indicibile.com	89

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3772	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3548	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4980	4840	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	77
PID 4840 wrote to memory of 4980	4840	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	77
PID 4840 wrote to memory of 4980	4840	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	77
PID 4840 wrote to memory of 3884	4840	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	79
PID 4840 wrote to memory of 3884	4840	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	79
PID 4840 wrote to memory of 3884	4840	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	79
PID 3884 wrote to memory of 4920	3884	cmd.exe	81
PID 3884 wrote to memory of 4920	3884	cmd.exe	81
PID 3884 wrote to memory of 4920	3884	cmd.exe	81
PID 4920 wrote to memory of 4972	4920	cmd.exe	82
PID 4920 wrote to memory of 4972	4920	cmd.exe	82
PID 4920 wrote to memory of 4972	4920	cmd.exe	82
PID 4920 wrote to memory of 4396	4920	cmd.exe	83
PID 4920 wrote to memory of 4396	4920	cmd.exe	83
PID 4920 wrote to memory of 4396	4920	cmd.exe	83
PID 4920 wrote to memory of 3772	4920	cmd.exe	84
PID 4920 wrote to memory of 3772	4920	cmd.exe	84
PID 4920 wrote to memory of 3772	4920	cmd.exe	84
PID 4396 wrote to memory of 1104	4396	Indicibile.com	85
PID 4396 wrote to memory of 1104	4396	Indicibile.com	85
PID 4396 wrote to memory of 1104	4396	Indicibile.com	85
PID 1104 wrote to memory of 3548	1104	Indicibile.com	89
PID 1104 wrote to memory of 3548	1104	Indicibile.com	89
PID 1104 wrote to memory of 3548	1104	Indicibile.com	89
PID 1104 wrote to memory of 3548	1104	Indicibile.com	89
PID 1104 wrote to memory of 3548	1104	Indicibile.com	89

C:\Users\Admin\AppData\Local\Temp\1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe
"C:\Users\Admin\AppData\Local\Temp\1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c kWVICA
  2⤵
  PID:4980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Pensai.xll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PezDHcDOyTUXYowHLWSjrrYddvoFPhAhfJxUvPVlMOxeagyDNUFZYqeLrejkhYZRzHIgNukWwHmfIVYedESUHBf$" Sorridente.ppsx
      4⤵
      PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com
      Indicibile.com Avvelenate.bmp
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com Avvelenate.bmp
        5⤵
        Executes dropped EXE
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3548
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:3772

Network

DNS

KaSzjoLsQdHHRhYVQOxUUSj.KaSzjoLsQdHHRhYVQOxUUSj

Indicibile.com

Remote address:

8.8.8.8:53

Request

KaSzjoLsQdHHRhYVQOxUUSj.KaSzjoLsQdHHRhYVQOxUUSj

IN A

Response
DNS

14.110.152.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.110.152.52.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

RegAsm.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

RegAsm.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 07 Jun 2022 21:37:12 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 323
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44

52.109.76.31:443

40 B
1
93.184.220.29:80

46 B
40 B
1
1
104.208.16.90:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
204.79.197.200:443

156 B
3
208.95.112.1:80

http://ip-api.com/json/

http

RegAsm.exe

328 B
632 B
4
3

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
94.242.224.249:222

RegAsm.exe

260 B
5
94.242.224.249:222

RegAsm.exe

260 B
5
94.242.224.249:222

RegAsm.exe

260 B
5

8.8.8.8:53

KaSzjoLsQdHHRhYVQOxUUSj.KaSzjoLsQdHHRhYVQOxUUSj

dns

Indicibile.com

93 B
168 B
1
1

DNS Request

KaSzjoLsQdHHRhYVQOxUUSj.KaSzjoLsQdHHRhYVQOxUUSj
8.8.8.8:53

14.110.152.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

14.110.152.52.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

RegAsm.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.bmp

Filesize
1.1MB

MD5
d38fbf3003834442e5662a0c54615a69

SHA1
eb3217127b82cd0cdfd3ee34b65112d95c027a73

SHA256
f92b2f15d409db36db232878f74a1b3a1324fe90125e6e4eaa9903351c0c8a15

SHA512
8081112b4544f8b72e535d7d3188b3d0272b79a00a7cedfc7da3a7810f6516d81cc91caf320972899ce28e353347cf95373c42a48082d54f9f30c9d515dc8b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Inespresso.xlsm

Filesize
288KB

MD5
072d168817db1479fa1ad1d48e2a635e

SHA1
52c8e5f955d819216e5a5d0c1cc380710559f859

SHA256
086db4aa8a29e0c1140da0017c4f3f3b6d3758682f95658805c55b2c2556cccf

SHA512
60d67704417d33302f2802bda81d52a1f6cf6679b83b315e6e28475916c1f7ded0706d75538ab7db275379570e632b41088c150ccdf071b29fa45d785b5042c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensai.xll

Filesize
113KB

MD5
0a0ac2863533d4a9a3ad9a555786a4dc

SHA1
f6d53675a880079f56c19edfe99f755a1f0a0df7

SHA256
4ae1c9d0c61bf6cf3f0d8abdc4507114c737b341c4315432e0dac83f81a179ce

SHA512
776f3852c5c26785d3175bb86518675eec6ba0b95e0cc6bdee62abad740ca7efff152d28134f854c4b038b9fa0ddb2e93615d36cb9d0ba5d677b594cd546ed03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.ppsx

Filesize
921KB

MD5
7e72b4d06d86451bf084bfd368ded8f6

SHA1
f6bf2b7f37434f479fa39a4bb147c4b8ce133aec

SHA256
2590785501807851a903c650059bbd427fea6c1a61c244792e856d262cf570ac

SHA512
9748ad567d377ed920a62dabeee12d4556dd6b2f7a64ec4fbed3e183a2489b24842cff9e913ef71ad9a297b62d7b7e6502e0593a608184d308a0dbf87cb8cad4

Download Submit
memory/3548-149-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/3548-151-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/3548-154-0x00000000065D0000-0x00000000065DA000-memory.dmp

Filesize
40KB

Download
memory/3548-153-0x0000000006270000-0x00000000062AC000-memory.dmp

Filesize
240KB

Download
memory/3548-145-0x0000000000B00000-0x0000000000B4E000-memory.dmp

Filesize
312KB

Download
memory/3548-152-0x00000000051E0000-0x00000000051F2000-memory.dmp

Filesize
72KB

Download
memory/3548-150-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.