quasar | 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

General

Target

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Size

2.5MB
MD5

60603c03611bec2d605fd134af541c41
SHA1

97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA256

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512

793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Score

10^/10

quasar persistence spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Executes dropped EXE 1 IoCs

Processes:

bnkpostale.exe

pid process

760 bnkpostale.exe
Loads dropped DLL 2 IoCs

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exe

pid process

992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
760 bnkpostale.exe

pid	process
760	bnkpostale.exe

pid	process
992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
760	bnkpostale.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\bnkpostale = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe\""	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1168 schtasks.exe
276 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exe

pid process

992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
760 bnkpostale.exe

flow	ioc
1	ip-api.com

pid	process
1168	schtasks.exe
276	schtasks.exe

pid	process
992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
760	bnkpostale.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exe

description	pid	process
Token: 33	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: SeIncBasePriorityPrivilege	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: SeDebugPrivilege	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: 33	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: SeIncBasePriorityPrivilege	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: 33	760	bnkpostale.exe
Token: SeIncBasePriorityPrivilege	760	bnkpostale.exe
Token: SeDebugPrivilege	760	bnkpostale.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bnkpostale.exe

pid process

760 bnkpostale.exe

pid	process
760	bnkpostale.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exe

description	pid	process	target process
PID 992 wrote to memory of 1168	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	schtasks.exe
PID 992 wrote to memory of 1168	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	schtasks.exe
PID 992 wrote to memory of 1168	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	schtasks.exe
PID 992 wrote to memory of 1168	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	schtasks.exe
PID 992 wrote to memory of 760	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	bnkpostale.exe
PID 992 wrote to memory of 760	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	bnkpostale.exe
PID 992 wrote to memory of 760	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	bnkpostale.exe
PID 992 wrote to memory of 760	992	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	bnkpostale.exe
PID 760 wrote to memory of 276	760	bnkpostale.exe	schtasks.exe
PID 760 wrote to memory of 276	760	bnkpostale.exe	schtasks.exe
PID 760 wrote to memory of 276	760	bnkpostale.exe	schtasks.exe
PID 760 wrote to memory of 276	760	bnkpostale.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
"C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1168

C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
"C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
Filesize
2.5MB

MD5
60603c03611bec2d605fd134af541c41

SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb

SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Download Submit
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
Filesize
2.5MB

MD5
60603c03611bec2d605fd134af541c41

SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb

SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Download Submit
\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
Filesize
2.5MB

MD5
60603c03611bec2d605fd134af541c41

SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb

SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Download Submit
\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
Filesize
2.5MB

MD5
60603c03611bec2d605fd134af541c41

SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb

SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Download Submit
memory/276-72-0x0000000000000000-mapping.dmp

Download
memory/760-63-0x0000000000000000-mapping.dmp

Download
memory/760-65-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/760-71-0x0000000004B9B000-0x0000000004BAC000-memory.dmp

Filesize
68KB

Download
memory/760-73-0x0000000004B9B000-0x0000000004BAC000-memory.dmp

Filesize
68KB

Download
memory/992-54-0x0000000004F90000-0x0000000005198000-memory.dmp

Filesize
2.0MB

Download
memory/992-61-0x0000000004B3B000-0x0000000004B4C000-memory.dmp

Filesize
68KB

Download
memory/992-59-0x0000000004B3B000-0x0000000004B4C000-memory.dmp

Filesize
68KB

Download
memory/992-55-0x0000000002000000-0x0000000002140000-memory.dmp

Filesize
1.2MB

Download
memory/1168-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads