quasar | 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

Analysis

max time kernel
42s
max time network
68s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
Size

349KB
MD5

94cb4509fbc7d4a000a35094532b2dc6
SHA1

e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA256

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA512

7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Score

10^/10

quasar matei spyware suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Matei

getrektscrub.hopto.org:4782

Mutex

QSR_MUTEX_KkiFVxzP7AThmUYEE7

Attributes

encryption_key
g4oiMoBrx37SHLCg4wcA
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/288-54-0x0000000000E70000-0x0000000000ECE000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
behavioral1/memory/1724-61-0x0000000001050000-0x00000000010AE000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe	family_quasar

suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1724 svchost.exe
1920 svchost.exe

pid	process
1724	svchost.exe
1920	svchost.exe

Loads dropped DLL 6 IoCs

Processes:

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exeWerFault.exe

pid	process
288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1244 1724 WerFault.exe svchost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1984 schtasks.exe
1500 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1128 PING.EXE

flow	ioc
1	ip-api.com

pid	pid_target	process	target process
1244	1724	WerFault.exe	svchost.exe

pid	process
1984	schtasks.exe
1500	schtasks.exe

pid	process
1128	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
Token: SeDebugPrivilege	1724	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1724 svchost.exe

pid	process
1724	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exesvchost.execmd.exe

description	pid	process	target process
PID 288 wrote to memory of 1984	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	schtasks.exe
PID 288 wrote to memory of 1984	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	schtasks.exe
PID 288 wrote to memory of 1984	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	schtasks.exe
PID 288 wrote to memory of 1984	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	schtasks.exe
PID 288 wrote to memory of 1724	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	svchost.exe
PID 288 wrote to memory of 1724	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	svchost.exe
PID 288 wrote to memory of 1724	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	svchost.exe
PID 288 wrote to memory of 1724	288	5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe	svchost.exe
PID 1724 wrote to memory of 1500	1724	svchost.exe	schtasks.exe
PID 1724 wrote to memory of 1500	1724	svchost.exe	schtasks.exe
PID 1724 wrote to memory of 1500	1724	svchost.exe	schtasks.exe
PID 1724 wrote to memory of 1500	1724	svchost.exe	schtasks.exe
PID 1724 wrote to memory of 1916	1724	svchost.exe	cmd.exe
PID 1724 wrote to memory of 1916	1724	svchost.exe	cmd.exe
PID 1724 wrote to memory of 1916	1724	svchost.exe	cmd.exe
PID 1724 wrote to memory of 1916	1724	svchost.exe	cmd.exe
PID 1724 wrote to memory of 1244	1724	svchost.exe	WerFault.exe
PID 1724 wrote to memory of 1244	1724	svchost.exe	WerFault.exe
PID 1724 wrote to memory of 1244	1724	svchost.exe	WerFault.exe
PID 1724 wrote to memory of 1244	1724	svchost.exe	WerFault.exe
PID 1916 wrote to memory of 1864	1916	cmd.exe	chcp.com
PID 1916 wrote to memory of 1864	1916	cmd.exe	chcp.com
PID 1916 wrote to memory of 1864	1916	cmd.exe	chcp.com
PID 1916 wrote to memory of 1864	1916	cmd.exe	chcp.com
PID 1916 wrote to memory of 1128	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 1128	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 1128	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 1128	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 1920	1916	cmd.exe	svchost.exe
PID 1916 wrote to memory of 1920	1916	cmd.exe	svchost.exe
PID 1916 wrote to memory of 1920	1916	cmd.exe	svchost.exe
PID 1916 wrote to memory of 1920	1916	cmd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe
"C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1984

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\emFphGyuDX1g.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1864

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
4⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1480
3⤵
- Loads dropped DLL
- Program crash
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\emFphGyuDX1g.bat
Filesize
208B

MD5
6ec4d3bdc68a823faa8d83a3fdfc03ba

SHA1
663aa05d63d024e904bc61e442279c4fe8094901

SHA256
50d84e2e242c120e1b54c032a57c051807728406e1899eea8199438e62904e8d

SHA512
e0f656854c9cc5b98c7f029d472f810f7a65462f0793ea127db6052aed0efc63114c8caec9d4552d325b1a1b7cfa23674ca9eed6d3e0e251ccfc0bf24e6a20f7

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
\Users\Admin\AppData\Roaming\SubDir\svchost.exe
Filesize
349KB

MD5
94cb4509fbc7d4a000a35094532b2dc6

SHA1
e3a609c58c08a2d34f6f384b40dcf5df0c361c39

SHA256
5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2

SHA512
7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Download Submit
memory/288-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/288-54-0x0000000000E70000-0x0000000000ECE000-memory.dmp

Filesize
376KB

Download
memory/1128-72-0x0000000000000000-mapping.dmp

Download
memory/1244-66-0x0000000000000000-mapping.dmp

Download
memory/1500-63-0x0000000000000000-mapping.dmp

Download
memory/1724-61-0x0000000001050000-0x00000000010AE000-memory.dmp

Filesize
376KB

Download
memory/1724-58-0x0000000000000000-mapping.dmp

Download
memory/1864-67-0x0000000000000000-mapping.dmp

Download
memory/1916-64-0x0000000000000000-mapping.dmp

Download
memory/1920-74-0x0000000000000000-mapping.dmp

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download