quasar | 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

General

Target

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Size

2.5MB
MD5

60603c03611bec2d605fd134af541c41
SHA1

97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA256

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512

793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Score

10^/10

quasar persistence spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Executes dropped EXE 1 IoCs

Processes:

bnkpostale.exe

pid process

4068 bnkpostale.exe

pid	process
4068	bnkpostale.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bnkpostale.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkpostale = "\"C:\\Users\\Admin\\AppData\\Roaming\\bnkpostale\\bnkpostale.exe\""	bnkpostale.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4400 schtasks.exe
4048 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exe

pid process

688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
4068 bnkpostale.exe

flow	ioc
7	ip-api.com

pid	process
4400	schtasks.exe
4048	schtasks.exe

pid	process
688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
4068	bnkpostale.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exe

description	pid	process
Token: 33	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: SeIncBasePriorityPrivilege	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: SeDebugPrivilege	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Token: 33	4068	bnkpostale.exe
Token: SeIncBasePriorityPrivilege	4068	bnkpostale.exe
Token: SeDebugPrivilege	4068	bnkpostale.exe
Token: 33	4068	bnkpostale.exe
Token: SeIncBasePriorityPrivilege	4068	bnkpostale.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bnkpostale.exe

pid process

4068 bnkpostale.exe

pid	process
4068	bnkpostale.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exe

description	pid	process	target process
PID 688 wrote to memory of 4048	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	schtasks.exe
PID 688 wrote to memory of 4048	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	schtasks.exe
PID 688 wrote to memory of 4048	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	schtasks.exe
PID 688 wrote to memory of 4068	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	bnkpostale.exe
PID 688 wrote to memory of 4068	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	bnkpostale.exe
PID 688 wrote to memory of 4068	688	5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe	bnkpostale.exe
PID 4068 wrote to memory of 4400	4068	bnkpostale.exe	schtasks.exe
PID 4068 wrote to memory of 4400	4068	bnkpostale.exe	schtasks.exe
PID 4068 wrote to memory of 4400	4068	bnkpostale.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
"C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4048

C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
"C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
Filesize
2.5MB

MD5
60603c03611bec2d605fd134af541c41

SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb

SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Download Submit
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe
Filesize
2.5MB

MD5
60603c03611bec2d605fd134af541c41

SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb

SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5

SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed

Download Submit
memory/688-130-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/688-131-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/688-132-0x0000000004B30000-0x0000000004B96000-memory.dmp

Filesize
408KB

Download
memory/688-133-0x0000000005E90000-0x0000000005EA2000-memory.dmp

Filesize
72KB

Download
memory/688-134-0x00000000062A0000-0x00000000062DC000-memory.dmp

Filesize
240KB

Download
memory/4048-135-0x0000000000000000-mapping.dmp

Download
memory/4068-136-0x0000000000000000-mapping.dmp

Download
memory/4068-140-0x0000000006570000-0x000000000657A000-memory.dmp

Filesize
40KB

Download
memory/4400-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads