quasar | 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1

General

Target

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
Size

393KB
MD5

6a2c2b021b25da0f433c1224a6aa7931
SHA1

a0548551a6f59901c1ad587815d31967e7bf00d8
SHA256

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1
SHA512

0d9b929159b5bc083b30aac612ed2553393bc5cdddc9f50dd5dfba6567ce658e8e67506b7e47ae125a107843846aa06bb4801a33cc06821332e2677000e557c8

Score

10^/10

quasar revengerat ceo spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

don567678.ddns.net:1714

Mutex

9norn25Q4wM4txx41r

Attributes

encryption_key
ybVCqDzPNXriXCm0UUcE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/860-67-0x0000000004430000-0x000000000447E000-memory.dmp	family_quasar
behavioral1/memory/2000-72-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2000-71-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2000-73-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2000-74-0x000000000044943E-mapping.dmp	family_quasar
behavioral1/memory/2000-76-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/2000-78-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Drops startup file 1 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icUZoz.url	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

description	pid	process	target process
PID 860 set thread context of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1860 2000 WerFault.exe RegAsm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1976 PING.EXE

pid	pid_target	process	target process
1860	2000	WerFault.exe	RegAsm.exe

pid	process
1976	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

pid	process
860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
Token: SeDebugPrivilege	2000	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2000 RegAsm.exe

pid	process
2000	RegAsm.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.execsc.exeRegAsm.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 1104	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	csc.exe
PID 860 wrote to memory of 1104	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	csc.exe
PID 860 wrote to memory of 1104	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	csc.exe
PID 860 wrote to memory of 1104	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	csc.exe
PID 1104 wrote to memory of 1732	1104	csc.exe	cvtres.exe
PID 1104 wrote to memory of 1732	1104	csc.exe	cvtres.exe
PID 1104 wrote to memory of 1732	1104	csc.exe	cvtres.exe
PID 1104 wrote to memory of 1732	1104	csc.exe	cvtres.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 860 wrote to memory of 2000	860	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 2000 wrote to memory of 1632	2000	RegAsm.exe	cmd.exe
PID 2000 wrote to memory of 1632	2000	RegAsm.exe	cmd.exe
PID 2000 wrote to memory of 1632	2000	RegAsm.exe	cmd.exe
PID 2000 wrote to memory of 1632	2000	RegAsm.exe	cmd.exe
PID 2000 wrote to memory of 1860	2000	RegAsm.exe	WerFault.exe
PID 2000 wrote to memory of 1860	2000	RegAsm.exe	WerFault.exe
PID 2000 wrote to memory of 1860	2000	RegAsm.exe	WerFault.exe
PID 2000 wrote to memory of 1860	2000	RegAsm.exe	WerFault.exe
PID 1632 wrote to memory of 1936	1632	cmd.exe	chcp.com
PID 1632 wrote to memory of 1936	1632	cmd.exe	chcp.com
PID 1632 wrote to memory of 1936	1632	cmd.exe	chcp.com
PID 1632 wrote to memory of 1936	1632	cmd.exe	chcp.com
PID 1632 wrote to memory of 1976	1632	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1976	1632	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1976	1632	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1976	1632	cmd.exe	PING.EXE
PID 1632 wrote to memory of 828	1632	cmd.exe	RegAsm.exe
PID 1632 wrote to memory of 828	1632	cmd.exe	RegAsm.exe
PID 1632 wrote to memory of 828	1632	cmd.exe	RegAsm.exe
PID 1632 wrote to memory of 828	1632	cmd.exe	RegAsm.exe
PID 1632 wrote to memory of 828	1632	cmd.exe	RegAsm.exe
PID 1632 wrote to memory of 828	1632	cmd.exe	RegAsm.exe
PID 1632 wrote to memory of 828	1632	cmd.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
"C:\Users\Admin\AppData\Local\Temp\3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES916.tmp" "c:\Users\Admin\AppData\Local\Temp\2orw4ft4\CSC3D37800F74614453A8DD2EE5CF1349.TMP"
3⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\T2KQ7ChmZxcj.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1936

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1496
3⤵
- Program crash
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.dll
Filesize
16KB

MD5
e1815f9355e407fc1f55714ea7d21bfe

SHA1
f7ecee25d65bdf63840860fbdc6528de774c0640

SHA256
082dca9f38c300fd84e9193c4f25e2e4eac78c151316f808bb7fe7a08a0ef62a

SHA512
bc30819ca9c40900bdf31ba3c8c343e9368ee07ed82f09481d8aaef2cee167ceff9fc48fbc0cb26644fc982174f9923df5a902bbdbd79a8adefc3cc628b34125

Download Submit
C:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.pdb
Filesize
49KB

MD5
f0f3f36a897423c682f024e9f2c9784b

SHA1
5d3006bc5bc3c39393548cef7d2a53ccde256566

SHA256
a4a65ffb4616fbf4926b21ccd69734c3a62b9ea61d250af140ae994cc267badb

SHA512
b46677d81de0920f4baf00c4c5817545e344247dd3a15d258addb04ace53293f5a91cdc823fab2d3bc261685ab5f48e345581e8977e88293090c5a920441198e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES916.tmp
Filesize
1KB

MD5
58bba69772a65747c708efc0076a25f9

SHA1
5b09050449705bde6d9d20c972b4a71bf6830b09

SHA256
0ea01a628cca22d300fc83ec3399a78a80fe022795778602df3025a84d3a9429

SHA512
a625c9e6a8a35034c4a22a8890334f0d4dff71f5431d274597300d47d3805cf1f92303df5ac0f5f6d9e1a6db7ca709a7823bed822ffc473b594288b3b5b251f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2KQ7ChmZxcj.bat
Filesize
215B

MD5
52e5e66b36680c1aa7f328204ce8682b

SHA1
9a2b30b26bea60423485f4fa797ad7253beecf39

SHA256
93c89533c0168889e9c03e33788754d0601a291a1ed72c0d24c1520437d0fff3

SHA512
0a7963f02aef7f18612674ce0d4a8849cea8f1f8bf94cb586aff207b2db68f8bad283ad4b6a9162cf18203b5b7007eda4181b6e7a1b62f3fce25d75cea510ee5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.0.cs
Filesize
34KB

MD5
b056dc44506a4145e2642d5959ead5f2

SHA1
e67cd09700a8b7bcbecf006ed6aa90249aab765e

SHA256
a2d7d38fdaee967ae27b548db5eb709be0887cd1ebb31ff46ae6f58af681b38e

SHA512
2ff69c3a0792207a2ebeaf00e41e8acd3a9b91d95082af1a20a5cb4594d22488ed71ef1163f822edecf8646999daa298b724be2cbf9c097b75f7b68f4f35b4e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2orw4ft4\2orw4ft4.cmdline
Filesize
312B

MD5
f86a521bf81fd54019d0b458158f4198

SHA1
6f85c8c112a48f31fbcb382f261ed7ce7ed34207

SHA256
65a9ae8458d8dcc82fb69fe2ce36747ffad505d94d78c23858961c188f64f64f

SHA512
3f7129e8c2b2a5218caa4dd2ddf78ea01571187fd235d4629a614becf28b1ef01865209027c8c6f6b50fb6ca642c84f52b161289b29c83de55904fb7ea7404c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2orw4ft4\CSC3D37800F74614453A8DD2EE5CF1349.TMP
Filesize
1KB

MD5
a4dbb7c1fea2f068d8280e7e996abfa4

SHA1
a819720ad3974382095d470ff531917311b89022

SHA256
c6abd4e7df9b8007292f5a6865eb46ce15d9ec0a1b146742898753822524129c

SHA512
dfc223b72f6c485f2c4a0a98c846b72bc5045672cc4b1f9eaeff3eabddc86fb50d6d64ab079fd3dcd02851d029d17273df2f80e2948771ea63bf60d17dc8c8b7

Download Submit
memory/828-87-0x0000000000030000-0x0000000000042000-memory.dmp

Filesize
72KB

Download
memory/828-85-0x0000000000000000-mapping.dmp

Download
memory/860-54-0x00000000003E0000-0x0000000000448000-memory.dmp

Filesize
416KB

Download
memory/860-64-0x0000000004340000-0x0000000004398000-memory.dmp

Filesize
352KB

Download
memory/860-65-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/860-66-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/860-67-0x0000000004430000-0x000000000447E000-memory.dmp

Filesize
312KB

Download
memory/860-63-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/1104-55-0x0000000000000000-mapping.dmp

Download
memory/1632-80-0x0000000000000000-mapping.dmp

Download
memory/1732-58-0x0000000000000000-mapping.dmp

Download
memory/1860-82-0x0000000000000000-mapping.dmp

Download
memory/1936-83-0x0000000000000000-mapping.dmp

Download
memory/1976-84-0x0000000000000000-mapping.dmp

Download
memory/2000-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2000-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2000-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2000-74-0x000000000044943E-mapping.dmp

Download
memory/2000-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2000-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2000-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2000-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads