quasar | 382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3

General

Target

382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe
Size

337KB
MD5

8674e8fd878a92e92a479b931235bb72
SHA1

dfc652402b4791b81379326b0881cd0a2e613169
SHA256

382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3
SHA512

6d36b398d1f964b3b2f0ce5fdd1a0a04e7997b8fa8295912f31d4e26a50dee75197303df34d92915fa5bb57a5df4d486dcff7d312bd5064425cd27218b4e094c

Score

10^/10

quasar revengerat ceo spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

23.249.161.211:1714

Mutex

ymuFePGjPK2s7dyOvO

Attributes

encryption_key
H5mirEGEuwM1G7u6Z7Pb
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1312-67-0x0000000000BF0000-0x0000000000C3E000-memory.dmp	family_quasar
behavioral1/memory/112-71-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/112-73-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/112-74-0x000000000044943E-mapping.dmp	family_quasar
behavioral1/memory/112-72-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/112-76-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/112-78-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Drops startup file 1 IoCs

Processes:

382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYrSDt.url	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe

description	pid	process	target process
PID 1312 set thread context of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe

pid	process
1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe
1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe
Token: SeDebugPrivilege	112	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

112 RegAsm.exe

pid	process
112	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.execsc.exe

description	pid	process	target process
PID 1312 wrote to memory of 1004	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	csc.exe
PID 1312 wrote to memory of 1004	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	csc.exe
PID 1312 wrote to memory of 1004	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	csc.exe
PID 1312 wrote to memory of 1004	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	csc.exe
PID 1004 wrote to memory of 316	1004	csc.exe	cvtres.exe
PID 1004 wrote to memory of 316	1004	csc.exe	cvtres.exe
PID 1004 wrote to memory of 316	1004	csc.exe	cvtres.exe
PID 1004 wrote to memory of 316	1004	csc.exe	cvtres.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe
PID 1312 wrote to memory of 112	1312	382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe
"C:\Users\Admin\AppData\Local\Temp\382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0r3orqr\a0r3orqr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1102.tmp" "c:\Users\Admin\AppData\Local\Temp\a0r3orqr\CSCB02E144285CF4672994DC87C33F1734.TMP"
3⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1102.tmp
Filesize
1KB

MD5
e44b866c86c3170c6db5ee9e545d5aaf

SHA1
3e86322feec1bb107e68fea32ec5931977cf711f

SHA256
9419ff9f7494f81427bc85a773900a7f477e4d6c295e6a83f325ea5f04f23d26

SHA512
b92ec7e26a694802ff6b6747226d71308541f1015a85dc467e91087b74eb3f7919116c7bc662ee11450fe981a09d9285dd463d59b63e8d50f4ab3a71fd4e2a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0r3orqr\a0r3orqr.dll
Filesize
7KB

MD5
6171a2fbfa94d752ebc4f6ba4af68b10

SHA1
7fbc9727617c3ce8af33e1e19aa2312c691737a7

SHA256
b83ce66df40beace2bd42d221c54a99c974bbbcd89b3826a1acb76a68d7b3212

SHA512
b974aec60a1d87eed6ea4b284ebc34f0603802d997121f9eddc7a6260e608a9cc4f864ce2470fd2cbf8dc03d5f2ea61d37f795bbea787e28bccd9bd2a868b429

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0r3orqr\a0r3orqr.pdb
Filesize
23KB

MD5
3947e5881ad1b1e3270bd17fbc111284

SHA1
3cf1e037bb693f3e09831f2f0c678d328bac3250

SHA256
5f548cb279a1edfeaf22d4e2752cb5c80f89a5ac1c8cae80cf23b1ed25ebef0f

SHA512
35f17c7dee66f6383da7f06df896e63d229e1af0c4decd85d880d72d46204c8ef36d2e8e982ac50c7d3b400f3f54d25e3732a7b9fa207467b66a36a1ba2a29ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a0r3orqr\CSCB02E144285CF4672994DC87C33F1734.TMP
Filesize
1KB

MD5
b08bd5b73fb7761b37e60623db330b4b

SHA1
1e2b5919e002f021b38b22a26a186cae26dd7d9e

SHA256
86aa12c5de6e2b6ce0206acf19f6ca896ee77225ce79ba6d474a13e34237d9d9

SHA512
e4654eb8dbfd65304a031e8c466a1ef4a311f5798a470911c73809620bd1bd9574cf663f4cb8f78486402228154a06ec75ffbb2f49895dc65939d4da03a2db03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a0r3orqr\a0r3orqr.0.cs
Filesize
5KB

MD5
1270db283d14131c79bfa21e6bd37dec

SHA1
fc867965ea8a68a2486f1d41a2ab85a92c665ed2

SHA256
be757d33334bc1f1a8b642c0bda3c20d027bd9de014e17b1f5811b430d7262dd

SHA512
73d888e7252a3e20d00fe8dd56e709bf5c5e0b0a076c221ea27ec5def6939978697dce83433b9c49be9eac7228a2619dca3fa138c1d4e49f38acc952668b4be9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a0r3orqr\a0r3orqr.cmdline
Filesize
312B

MD5
ecafe3dc355d0f27b564b43b25b65181

SHA1
1c76f61e47b73a8a2dfdb9ca00432c5a4f2b72b8

SHA256
c71717c66e9ac11851e2f9cfa028388383948dbf87dbb32e1482f7697ea84a0a

SHA512
2197d5c18259ebd0b53cb7eccbabbddddeaf19831338a095e2360aaed47a6492f8a852e4640323d237c4c9c8591170a01fa3f76037b39955959769760659e814

Download Submit
memory/112-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/112-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/112-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/112-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/112-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/112-74-0x000000000044943E-mapping.dmp

Download
memory/112-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/112-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/316-58-0x0000000000000000-mapping.dmp

Download
memory/1004-55-0x0000000000000000-mapping.dmp

Download
memory/1312-64-0x0000000000B90000-0x0000000000BE8000-memory.dmp

Filesize
352KB

Download
memory/1312-54-0x0000000000FA0000-0x0000000000FFA000-memory.dmp

Filesize
360KB

Download
memory/1312-67-0x0000000000BF0000-0x0000000000C3E000-memory.dmp

Filesize
312KB

Download
memory/1312-66-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1312-65-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1312-63-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads