quasar | 15a42865e3b9563b0162987d9ba85a18fe6f7befb28d39daed3277434347200f

General

Target

sexy.exe
Size

502KB
MD5

0e28531b24a9dea26005a84d0f9dfa94
SHA1

a749c6ab791a98fa17cc7251c37cf41ed2ca4277
SHA256

15a42865e3b9563b0162987d9ba85a18fe6f7befb28d39daed3277434347200f
SHA512

13d7596d08742b8425d461e38b007366c5ed3a9fe4b691e4b0bcc20548746a8813a3c1722f7e3ec08fbd7eb1916aa9fe436bf9c2179fe394d3663f406e83fc91

Score

10^/10

quasar pd spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Pd

C2

djetdixipleshacker.ddns.net:4782

Mutex

c6993971-9d33-47ee-97be-1ee4c55f5b22

Attributes

encryption_key
5BF63D2A9E5DC89F2E977D9F2C3F6E7245BE30C9
install_name
WINDOWSREPAIRPROGRAMEFORVBUCKS.exe
log_directory
Logs
reconnect_delay
3000
startup_key
sussy
subdirectory
Microdoux

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4376-130-0x0000000000B50000-0x0000000000BD4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Microdoux\WINDOWSREPAIRPROGRAMEFORVBUCKS.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Microdoux\WINDOWSREPAIRPROGRAMEFORVBUCKS.exe	family_quasar

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
suricata
Executes dropped EXE 1 IoCs

Processes:

WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

pid process

2988 WINDOWSREPAIRPROGRAMEFORVBUCKS.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
29 api.ipify.org
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

488 3960 WerFault.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4740 schtasks.exe
4608 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sexy.exeWINDOWSREPAIRPROGRAMEFORVBUCKS.exe

description pid process

Token: SeDebugPrivilege 4376 sexy.exe
Token: SeDebugPrivilege 2988 WINDOWSREPAIRPROGRAMEFORVBUCKS.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

pid process

2988 WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

pid	process
2988	WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

flow	ioc
28	api.ipify.org
29	api.ipify.org

pid	pid_target	process	target process
488	3960	WerFault.exe

pid	process
4740	schtasks.exe
4608	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4376	sexy.exe
Token: SeDebugPrivilege	2988	WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

pid	process
2988	WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

sexy.exeWINDOWSREPAIRPROGRAMEFORVBUCKS.exe

description	pid	process	target process
PID 4376 wrote to memory of 4740	4376	sexy.exe	schtasks.exe
PID 4376 wrote to memory of 4740	4376	sexy.exe	schtasks.exe
PID 4376 wrote to memory of 2988	4376	sexy.exe	WINDOWSREPAIRPROGRAMEFORVBUCKS.exe
PID 4376 wrote to memory of 2988	4376	sexy.exe	WINDOWSREPAIRPROGRAMEFORVBUCKS.exe
PID 2988 wrote to memory of 4608	2988	WINDOWSREPAIRPROGRAMEFORVBUCKS.exe	schtasks.exe
PID 2988 wrote to memory of 4608	2988	WINDOWSREPAIRPROGRAMEFORVBUCKS.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\sexy.exe
"C:\Users\Admin\AppData\Local\Temp\sexy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sussy" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\sexy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4740

C:\Users\Admin\AppData\Roaming\Microdoux\WINDOWSREPAIRPROGRAMEFORVBUCKS.exe
"C:\Users\Admin\AppData\Roaming\Microdoux\WINDOWSREPAIRPROGRAMEFORVBUCKS.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sussy" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microdoux\WINDOWSREPAIRPROGRAMEFORVBUCKS.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3960 -ip 3960
1⤵
PID:2992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3960 -s 1760
1⤵
- Program crash
PID:488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microdoux\WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

Filesize
502KB

MD5
0e28531b24a9dea26005a84d0f9dfa94

SHA1
a749c6ab791a98fa17cc7251c37cf41ed2ca4277

SHA256
15a42865e3b9563b0162987d9ba85a18fe6f7befb28d39daed3277434347200f

SHA512
13d7596d08742b8425d461e38b007366c5ed3a9fe4b691e4b0bcc20548746a8813a3c1722f7e3ec08fbd7eb1916aa9fe436bf9c2179fe394d3663f406e83fc91

Download Submit
C:\Users\Admin\AppData\Roaming\Microdoux\WINDOWSREPAIRPROGRAMEFORVBUCKS.exe

Filesize
502KB

MD5
0e28531b24a9dea26005a84d0f9dfa94

SHA1
a749c6ab791a98fa17cc7251c37cf41ed2ca4277

SHA256
15a42865e3b9563b0162987d9ba85a18fe6f7befb28d39daed3277434347200f

SHA512
13d7596d08742b8425d461e38b007366c5ed3a9fe4b691e4b0bcc20548746a8813a3c1722f7e3ec08fbd7eb1916aa9fe436bf9c2179fe394d3663f406e83fc91

Download Submit
memory/2988-133-0x0000000000000000-mapping.dmp

Download
memory/2988-137-0x00007FFB32560000-0x00007FFB33021000-memory.dmp

Filesize
10.8MB

Download
memory/2988-139-0x000000001B300000-0x000000001B350000-memory.dmp

Filesize
320KB

Download
memory/2988-140-0x000000001C3C0000-0x000000001C472000-memory.dmp

Filesize
712KB

Download
memory/2988-141-0x00007FFB32560000-0x00007FFB33021000-memory.dmp

Filesize
10.8MB

Download
memory/4376-130-0x0000000000B50000-0x0000000000BD4000-memory.dmp

Filesize
528KB

Download
memory/4376-131-0x00007FFB32560000-0x00007FFB33021000-memory.dmp

Filesize
10.8MB

Download
memory/4376-136-0x00007FFB32560000-0x00007FFB33021000-memory.dmp

Filesize
10.8MB

Download
memory/4608-138-0x0000000000000000-mapping.dmp

Download
memory/4740-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads