quasar | 262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada

General

Target

262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe
Size

299KB
MD5

bb73586cedd8767a216880ba2a7c7750
SHA1

84a6c6c4908088349d5042f1a57374df7a8469f1
SHA256

262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada
SHA512

721bf82d3dfc0b2943283c7c8c4bac7afe54e4e2d1772cf27a254e5bbb6bb89d9dd5c2464a026de8d838d455187cfac0a0864d7ec8d77273d96a4ba92afb07cd

Score

10^/10

quasar revengerat ceo spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

worldwide567678.zapto.org:1714

Mutex

Hroy95BxsKwWGMw1fF

Attributes

encryption_key
xFdMg8u08utwhtKUrD9B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/916-67-0x0000000004C70000-0x0000000004CBE000-memory.dmp	family_quasar
behavioral1/memory/2036-71-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2036-72-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2036-73-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2036-74-0x000000000044943E-mapping.dmp	family_quasar
behavioral1/memory/2036-76-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2036-78-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Drops startup file 1 IoCs

Processes:

262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dIQVAO.url	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe

description	pid	process	target process
PID 916 set thread context of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1228 2036 WerFault.exe RegAsm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1632 PING.EXE

pid	pid_target	process	target process
1228	2036	WerFault.exe	RegAsm.exe

pid	process
1632	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe

pid	process
916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe
916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe
Token: SeDebugPrivilege	2036	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2036 RegAsm.exe

pid	process
2036	RegAsm.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.execsc.exeRegAsm.execmd.exe

description	pid	process	target process
PID 916 wrote to memory of 1528	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	csc.exe
PID 916 wrote to memory of 1528	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	csc.exe
PID 916 wrote to memory of 1528	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	csc.exe
PID 916 wrote to memory of 1528	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	csc.exe
PID 1528 wrote to memory of 632	1528	csc.exe	cvtres.exe
PID 1528 wrote to memory of 632	1528	csc.exe	cvtres.exe
PID 1528 wrote to memory of 632	1528	csc.exe	cvtres.exe
PID 1528 wrote to memory of 632	1528	csc.exe	cvtres.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 916 wrote to memory of 2036	916	262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe	RegAsm.exe
PID 2036 wrote to memory of 1964	2036	RegAsm.exe	cmd.exe
PID 2036 wrote to memory of 1964	2036	RegAsm.exe	cmd.exe
PID 2036 wrote to memory of 1964	2036	RegAsm.exe	cmd.exe
PID 2036 wrote to memory of 1964	2036	RegAsm.exe	cmd.exe
PID 2036 wrote to memory of 1228	2036	RegAsm.exe	WerFault.exe
PID 2036 wrote to memory of 1228	2036	RegAsm.exe	WerFault.exe
PID 2036 wrote to memory of 1228	2036	RegAsm.exe	WerFault.exe
PID 2036 wrote to memory of 1228	2036	RegAsm.exe	WerFault.exe
PID 1964 wrote to memory of 776	1964	cmd.exe	chcp.com
PID 1964 wrote to memory of 776	1964	cmd.exe	chcp.com
PID 1964 wrote to memory of 776	1964	cmd.exe	chcp.com
PID 1964 wrote to memory of 776	1964	cmd.exe	chcp.com
PID 1964 wrote to memory of 1632	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 1632	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 1632	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 1632	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 1256	1964	cmd.exe	RegAsm.exe
PID 1964 wrote to memory of 1256	1964	cmd.exe	RegAsm.exe
PID 1964 wrote to memory of 1256	1964	cmd.exe	RegAsm.exe
PID 1964 wrote to memory of 1256	1964	cmd.exe	RegAsm.exe
PID 1964 wrote to memory of 1256	1964	cmd.exe	RegAsm.exe
PID 1964 wrote to memory of 1256	1964	cmd.exe	RegAsm.exe
PID 1964 wrote to memory of 1256	1964	cmd.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe
"C:\Users\Admin\AppData\Local\Temp\262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwwaxcdu\vwwaxcdu.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17D5.tmp" "c:\Users\Admin\AppData\Local\Temp\vwwaxcdu\CSC524A1BF9F03749B2B271A7A6E0A392C.TMP"
3⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IBsN3wx2VT8p.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:776

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1512
3⤵
- Program crash
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IBsN3wx2VT8p.bat
Filesize
215B

MD5
42792f07603dd29fd01256bf774f4d02

SHA1
02486e25d04a65bc5c709bc30eeaf1e1b95e201a

SHA256
36d2d816036f881be9926ac03ddec5f23cebe0088e31a73f4ca3f95f90e95af8

SHA512
5037335a95a62de018ac109e2aab73ffe3722d54045da59dd431fbf1208d0590da0e031cd06b45d3ec0e3dd24e50d371c8bd1e2c1e668233db1ce97941b3a66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES17D5.tmp
Filesize
1KB

MD5
53050cdf3f75a90bc007e5b99c172abc

SHA1
e75d3d0d99291063dcf8fa2c4d6d4bd50226762c

SHA256
6a42f81badd3c4c955b1777bb524813167271838c003d368d6cd1fd61408c3da

SHA512
e5d0ce07915c48bbdb7ed9dcd3ccb41f091cbb6cb33a874f4869c75a3132f346ab41e45fa9d7025efd659a3a1e73f867a4a103ac650a31112c59734db39b963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwwaxcdu\vwwaxcdu.dll
Filesize
6KB

MD5
d878a0405ec8e1c506b20f062bd15c95

SHA1
aaba18dcbb1aa1628c0c0443a9e846c0fdb0eb3b

SHA256
474d262a85e2772b12b7d033d2ebef62c070eb3097570461ba329e6398077e50

SHA512
af3b3c89f527ff9d1c07aa08f4d3f5a90ab04049240d8f8469e1b8ca08e9eaed4dadf0f6c2a45fb385a668e1cd23f65fe3c47f239e639cbd03db2cc9af005ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwwaxcdu\vwwaxcdu.pdb
Filesize
15KB

MD5
0a2365165b9b1c9a304e5ce57b203760

SHA1
c688d68efcc0463df646f9ca73ab442a424e3f99

SHA256
d756a9837ffb932152c92da13c8e911a455633d2545cfe9eb6cff4efd2ae63f8

SHA512
bacea0a12eb3b201ade46e324ba55a1d10bb5c6b2bdfe7b6c3964b6b0e4dfd66bd8df8fa2d583cda54d57e9603a3a9e648d1c3f5934183764a633120383f7b48

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwwaxcdu\CSC524A1BF9F03749B2B271A7A6E0A392C.TMP
Filesize
1KB

MD5
848ad8dbba6e549d3de58e57e58ff75b

SHA1
43cde3f4cda817124cfd90f8a1aa2f5dca77f44d

SHA256
e269fa9a223c9ef15485d7d896a8c00fe27f1c695c55fe48d1be4cef99eab3b0

SHA512
8ce737ca5ae25dc68d2541cae8996cc6a628a24f4ada9736ba979afebb2865a0f0a70ba13d71edde08f26715f40117c9f0efb0a765e874b7e7d74d4a5bc54c7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwwaxcdu\vwwaxcdu.0.cs
Filesize
2KB

MD5
3bb7bebdb89f1c2f229090bb605bc82e

SHA1
325c1d845f3f4d9d017905ca53aad651321579f4

SHA256
a70f9fa875053a6b74d21076d401a7c37dc2942a76882efebe4d08468634dc75

SHA512
e733d4d7b3c4684e96a9c1c40c78fea193f9d780fed4320409b6d3dc1ff828436a7b323921bb5209c0814e3bb43580024f15ab51aa8e58cc4bf01c8ddd9297bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwwaxcdu\vwwaxcdu.cmdline
Filesize
312B

MD5
a3fc2f3b92558cf61459843b39387e2f

SHA1
8976e54391bc02794aa8f0f2aa0330513394fe49

SHA256
7755ee54542f4497ce3caa5cb2f77f14f645b9e4f92c0c74222792b2bbd5dd76

SHA512
534c84f0b7a9de6707c07a5b78efe4d6bc2d466e322ef89d3045a0c123b8e97bf16e157964be4776775a466e8d1c8a09c3a4d0132a8507094064ff01f9484b24

Download Submit
memory/632-58-0x0000000000000000-mapping.dmp

Download
memory/776-83-0x0000000000000000-mapping.dmp

Download
memory/916-64-0x0000000004450000-0x00000000044A8000-memory.dmp

Filesize
352KB

Download
memory/916-65-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/916-66-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/916-67-0x0000000004C70000-0x0000000004CBE000-memory.dmp

Filesize
312KB

Download
memory/916-54-0x0000000000090000-0x00000000000E0000-memory.dmp

Filesize
320KB

Download
memory/916-63-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1228-81-0x0000000000000000-mapping.dmp

Download
memory/1256-87-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1256-85-0x0000000000000000-mapping.dmp

Download
memory/1528-55-0x0000000000000000-mapping.dmp

Download
memory/1632-84-0x0000000000000000-mapping.dmp

Download
memory/1964-80-0x0000000000000000-mapping.dmp

Download
memory/2036-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-74-0x000000000044943E-mapping.dmp

Download
memory/2036-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads