quasar | 3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1

General

Target

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
Size

393KB
MD5

6a2c2b021b25da0f433c1224a6aa7931
SHA1

a0548551a6f59901c1ad587815d31967e7bf00d8
SHA256

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1
SHA512

0d9b929159b5bc083b30aac612ed2553393bc5cdddc9f50dd5dfba6567ce658e8e67506b7e47ae125a107843846aa06bb4801a33cc06821332e2677000e557c8

Score

10^/10

quasar ceo spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

don567678.ddns.net:1714

Mutex

9norn25Q4wM4txx41r

Attributes

encryption_key
ybVCqDzPNXriXCm0UUcE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1652-147-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icUZoz.url	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com

flow	ioc
14	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

description	pid	process	target process
PID 4308 set thread context of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1408 1652 WerFault.exe RegAsm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3472 PING.EXE

pid	pid_target	process	target process
1408	1652	WerFault.exe	RegAsm.exe

pid	process
3472	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

pid	process
4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
Token: SeDebugPrivilege	1652	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1652 RegAsm.exe

pid	process
1652	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.execsc.exeRegAsm.execmd.exe

description	pid	process	target process
PID 4308 wrote to memory of 4608	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	csc.exe
PID 4308 wrote to memory of 4608	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	csc.exe
PID 4308 wrote to memory of 4608	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	csc.exe
PID 4608 wrote to memory of 4212	4608	csc.exe	cvtres.exe
PID 4608 wrote to memory of 4212	4608	csc.exe	cvtres.exe
PID 4608 wrote to memory of 4212	4608	csc.exe	cvtres.exe
PID 4308 wrote to memory of 4028	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 4028	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 4028	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1420	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1420	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1420	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 4308 wrote to memory of 1652	4308	3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe	RegAsm.exe
PID 1652 wrote to memory of 3992	1652	RegAsm.exe	cmd.exe
PID 1652 wrote to memory of 3992	1652	RegAsm.exe	cmd.exe
PID 1652 wrote to memory of 3992	1652	RegAsm.exe	cmd.exe
PID 3992 wrote to memory of 1756	3992	cmd.exe	chcp.com
PID 3992 wrote to memory of 1756	3992	cmd.exe	chcp.com
PID 3992 wrote to memory of 1756	3992	cmd.exe	chcp.com
PID 3992 wrote to memory of 3472	3992	cmd.exe	PING.EXE
PID 3992 wrote to memory of 3472	3992	cmd.exe	PING.EXE
PID 3992 wrote to memory of 3472	3992	cmd.exe	PING.EXE
PID 3992 wrote to memory of 3360	3992	cmd.exe	RegAsm.exe
PID 3992 wrote to memory of 3360	3992	cmd.exe	RegAsm.exe
PID 3992 wrote to memory of 3360	3992	cmd.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe
"C:\Users\Admin\AppData\Local\Temp\3e3cb0d7a8bcb9365d5a74b909c6653e7db615beb0f669ead9680d66eea1d6b1.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkfaeki5\bkfaeki5.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC23.tmp" "c:\Users\Admin\AppData\Local\Temp\bkfaeki5\CSC5EA5458D3E854D4E8CC7F0225514EC4D.TMP"
3⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glTjpWHF94cp.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1756

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2224
3⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1652 -ip 1652
1⤵
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAC23.tmp
Filesize
1KB

MD5
b0c0f3eab2d67e2a57a78c65a5351c13

SHA1
48dc62ab717ad0eaaf581c3b2f29814450807439

SHA256
333eeb6689e47fc72e3503c7798adf3515383689c64285bba460d4940325031a

SHA512
e4f367ec8f82169cc1b6b3bc81f2074a0bc57ea2199232d3e6c5d3abef7e121e4545cd57220dfc510d7693ac70818b62674ec41d13d16e9a36cf38c8d1080a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkfaeki5\bkfaeki5.dll
Filesize
16KB

MD5
8230da73b64bb0761e78e15c7393f794

SHA1
b2380baf1f73a6a740cfc77d7bf6b99e4397e90f

SHA256
1f56d90c29cc8250f72b2cbdab741d36c52e2db68e360efc161f6d46b3c6dcff

SHA512
b88ca67684735c5a7bc03fc2103a7cc67f90fa1b5fd5ab49ea32f7437dbdaa52ac13a9b26b742811239ae24f400d261ba69bac010941c0d4c4a1e67e6b37716d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkfaeki5\bkfaeki5.pdb
Filesize
49KB

MD5
5375e92cef970b09bd9d8f9c565b272a

SHA1
b4fea071cf7c292afc59064aa73edf4077088aa9

SHA256
89a8228823ae182b6e1de900d151e11fa673284331824d9b04f5f237ca3c0582

SHA512
e85007e9612c855bbd016b3466bb2a763893cfed3e352892897c018ba9d697d6044e74bdb00ff0b13b0a8878b3935be50db5511be914642c01254379f82025f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\glTjpWHF94cp.bat
Filesize
215B

MD5
077cc9117db039ba6b714b5f8c71dbca

SHA1
09c3b5be45a5c4febc39c906899b7edcbbe93512

SHA256
b91a65416ffb59d38f545e35bc275067ada11c0413f89bf27440a602358eef05

SHA512
ff1c0cdf45ab7bbcc098d212f02fc4a3ccc6e425eae74fc082edd7b37c5ca8de666fa15fac8c059ce0079c4f0caf3ae7b30baffe84d1b82e0e11856ffb04f745

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkfaeki5\CSC5EA5458D3E854D4E8CC7F0225514EC4D.TMP
Filesize
1KB

MD5
bf9b0be82de446d23f523438e716ef3b

SHA1
1472c23f2faaa08ce8d0c68b2997d71d0516f723

SHA256
5740eeb865e8da04af6d3dfff1a8051b0dac4dc27ca14a30dbcbd1807b1712c6

SHA512
bf889b34f6a3ebf2be29eb950dd9f71c6a1b10269dceec6c63ad7c04175cf79d64b6887814316e2e22801b4135fb37c02c390da1dcc9db5466933c769b672584

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkfaeki5\bkfaeki5.0.cs
Filesize
34KB

MD5
b056dc44506a4145e2642d5959ead5f2

SHA1
e67cd09700a8b7bcbecf006ed6aa90249aab765e

SHA256
a2d7d38fdaee967ae27b548db5eb709be0887cd1ebb31ff46ae6f58af681b38e

SHA512
2ff69c3a0792207a2ebeaf00e41e8acd3a9b91d95082af1a20a5cb4594d22488ed71ef1163f822edecf8646999daa298b724be2cbf9c097b75f7b68f4f35b4e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkfaeki5\bkfaeki5.cmdline
Filesize
312B

MD5
11d938b09f04bffbfbbcf1a0cd0b6d7a

SHA1
524270ed0492562d34e933a11fb642cd30e6dd1d

SHA256
529d7299ed3c2f8a2d7dc48e035e4287681d39edf3bf5828dace47bff94f2897

SHA512
a963421047a9c740be795d7e45b935fd4abca8f602086bc85e46fdb8f357534f53795bb3e3b61a4a74c714f4ed6a45b2d946f628e51853e7d23301fb72e21dec

Download Submit
memory/1420-145-0x0000000000000000-mapping.dmp

Download
memory/1652-152-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

Filesize
40KB

Download
memory/1652-146-0x0000000000000000-mapping.dmp

Download
memory/1652-147-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1652-148-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/1652-149-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/1652-150-0x0000000005E40000-0x0000000005E52000-memory.dmp

Filesize
72KB

Download
memory/1652-151-0x0000000006A40000-0x0000000006A7C000-memory.dmp

Filesize
240KB

Download
memory/1756-155-0x0000000000000000-mapping.dmp

Download
memory/3360-158-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3360-157-0x0000000000000000-mapping.dmp

Download
memory/3472-156-0x0000000000000000-mapping.dmp

Download
memory/3992-153-0x0000000000000000-mapping.dmp

Download
memory/4028-144-0x0000000000000000-mapping.dmp

Download
memory/4212-137-0x0000000000000000-mapping.dmp

Download
memory/4308-133-0x0000000000430000-0x0000000000498000-memory.dmp

Filesize
416KB

Download
memory/4308-143-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/4308-142-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/4608-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads