quasar | 33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d

General

Target

33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe
Size

295KB
MD5

e8a1026d6d025f281c596870fc1185ad
SHA1

28e9f6bd76e161dab22829b3bff2af740de05ab1
SHA256

33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d
SHA512

54ddb682f7b36aa6a514e391d296771a8c5f235e4de680d1a84961fe12b46ebd3bb83a9f775fcfe031db305d332b6db4669b12d55e284d178eb0d9bd859fca73

Score

10^/10

quasar ceo spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

198.46.235.194:1417

Mutex

Hzd5ohpHyz0j9jlmB2

Attributes

encryption_key
jKwpd9T86gptPthTAlIq
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4516-142-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Drops startup file 1 IoCs

Processes:

33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZQQTCD.url	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ip-api.com

flow	ioc
28	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe

description	pid	process	target process
PID 1260 set thread context of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe

pid	process
1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe
1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe
Token: SeDebugPrivilege	4516	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

4516 RegAsm.exe

pid	process
4516	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.execsc.exe

description	pid	process	target process
PID 1260 wrote to memory of 4720	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	csc.exe
PID 1260 wrote to memory of 4720	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	csc.exe
PID 1260 wrote to memory of 4720	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	csc.exe
PID 4720 wrote to memory of 3352	4720	csc.exe	cvtres.exe
PID 4720 wrote to memory of 3352	4720	csc.exe	cvtres.exe
PID 4720 wrote to memory of 3352	4720	csc.exe	cvtres.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe
PID 1260 wrote to memory of 4516	1260	33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe
"C:\Users\Admin\AppData\Local\Temp\33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tkaebyjv\tkaebyjv.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES326A.tmp" "c:\Users\Admin\AppData\Local\Temp\tkaebyjv\CSC5AF0B755380B43FC96FB4695939E7CFC.TMP"
3⤵
PID:3352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES326A.tmp
Filesize
1KB

MD5
6d07ea68f9dc67140512292c7133a61a

SHA1
6b936a884b8638e1153315e56d18e266bf03bbf6

SHA256
b7f5867c4dcde94a26598821df959beabdc3e6f32401f5352d7f69673ea6fbd3

SHA512
520ad3a8a9de9aaa0c45f58a129d0bb04d2407a83854bc6890875468588dd1e443afc3a67aca44607c8a6e89e3c35b9d0892643ef76f838fee2727bdd92ac73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkaebyjv\tkaebyjv.dll
Filesize
7KB

MD5
594911bb910c0c759950fe5c0c50a40b

SHA1
2f4436b509622674bf529e8328f7b4e809ed080d

SHA256
c0e22a995365fbec7bbfc747f4d90ec1323082bda1d1c6581768fdac7afb34f7

SHA512
b97199379e1cb81e49e0233e14e760ef9a1c841d6868d5e0910cce64c9a81b778cafcbfa7c3decaee6931243198f5440372182778ba5ca8c6ce1c1c20030a008

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkaebyjv\tkaebyjv.pdb
Filesize
23KB

MD5
2ad2e7dc033ccf8e594031fcf6b989b5

SHA1
50112f7a538b11b8b1d0cf9b2fedd86e11af5632

SHA256
e5e42885ff706efd9d1329118410cc325cac8af9688dca2271c7943a0b3adc15

SHA512
903857f72097cda103334c9d1081d7d56277b38ddb9350f103167cd85153c733029c0fe18b1031538b1e8aa26e176ccc84ab8693076e77e01957e0e3ee2131fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkaebyjv\CSC5AF0B755380B43FC96FB4695939E7CFC.TMP
Filesize
1KB

MD5
e2e6b20a9ea48a7d27f500ded28a3418

SHA1
d4d71b471a4823985e0a76545e59fa1bb3142e66

SHA256
f28d65c2d120fa2e6fa7e85935aae1f8ee9538270a93e652b1b0ae17e8791cbe

SHA512
250033c73982dc72870664896550b738d9a2b23400063aba71a49ee2ea54f77be983b0915cd47446fc8afc9efbaca856e5c0c3f76ef76599c6e7e68b4b0ca28c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkaebyjv\tkaebyjv.0.cs
Filesize
5KB

MD5
f939f60f0db703b692cd555a84dfd229

SHA1
875432a66f869526586a2d2cff57a219f113402e

SHA256
5fe14a6f96e8cc897dc037a881b86eab33d0f375e2b2580409ad70676326f036

SHA512
dc0a5206df64daafa7f6c30eb33cfe48cb975991c7b0409c7f3bcc2232087ce128b8762aae15c4fbb0b5da7dd3e7d26cd7f1cb3c547c088e827744192f20f04f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkaebyjv\tkaebyjv.cmdline
Filesize
312B

MD5
8d5925b6221580ce2e451940a2573e2d

SHA1
4a6265ac4ec047e4c48b96cb8f62bac71785159a

SHA256
5c3330d4bffa7e95b197944471388fa96f2c1fc81eaf954585bb9a7c563db96b

SHA512
48e128c89ab49829271d89c9df843c1c9d7f555f851b884775aae7b49c6f3ee051f0c6b1a422fae5cea84aa1de29e3dabbdd9b29880798003f4f42a12bf640e1

Download Submit
memory/1260-139-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/1260-140-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/1260-130-0x00000000006A0000-0x00000000006F0000-memory.dmp

Filesize
320KB

Download
memory/3352-134-0x0000000000000000-mapping.dmp

Download
memory/4516-141-0x0000000000000000-mapping.dmp

Download
memory/4516-142-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4516-143-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4516-144-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/4516-145-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/4516-146-0x0000000006470000-0x00000000064AC000-memory.dmp

Filesize
240KB

Download
memory/4516-147-0x00000000067F0000-0x00000000067FA000-memory.dmp

Filesize
40KB

Download
memory/4720-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads