quasar | dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995

General

Target

dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe
Size

763KB
MD5

0cd6977068202fb2a7b3ab7c552ec508
SHA1

d012374c33fdb7337412c92f7fa4eb9ad2dd2068
SHA256

dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995
SHA512

3a85063893354d7946e3e1a7828592e5319668ce4b732b35376be5039a875d8c1216fd4c823b8d4122f693e5941694fcef382f6ddc1b15c2ba66c63d6c75c2b5

Score

10^/10

quasar revengerat slave persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Slave

C2

167.99.251.51:3693

Mutex

iyE19BRC25gRWkYEfy

Attributes

encryption_key
bbCsAyVHv9b0Y3vfJLN0
install_name
Client.exe
log_directory
Explorer
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1672-75-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1672-76-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1672-77-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1672-78-0x000000000044943E-mapping.dmp	family_quasar
behavioral1/memory/1672-80-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar
behavioral1/memory/1672-82-0x0000000000400000-0x000000000044E000-memory.dmp	family_quasar

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Executes dropped EXE 2 IoCs

Processes:

Cortana.exeCortana.exe

pid process

1028 Cortana.exe
2020 Cortana.exe

pid	process
1028	Cortana.exe
2020	Cortana.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Cortana.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Cortana.exe -boot"	Cortana.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Cortana.exe

description pid process target process

PID 1028 set thread context of 1672 1028 Cortana.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1028 set thread context of 1672	1028	Cortana.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exeCortana.exeCortana.exe

pid	process
1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe
1028	Cortana.exe
2020	Cortana.exe
1028	Cortana.exe
1028	Cortana.exe
1028	Cortana.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exeCortana.exeCortana.exe

description	pid	process
Token: SeDebugPrivilege	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe
Token: SeDebugPrivilege	1028	Cortana.exe
Token: SeDebugPrivilege	2020	Cortana.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exeexplorer.exeCortana.exe

description	pid	process	target process
PID 1492 wrote to memory of 1184	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	cmd.exe
PID 1492 wrote to memory of 1184	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	cmd.exe
PID 1492 wrote to memory of 1184	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	cmd.exe
PID 1492 wrote to memory of 1184	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	cmd.exe
PID 1492 wrote to memory of 1936	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	explorer.exe
PID 1492 wrote to memory of 1936	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	explorer.exe
PID 1492 wrote to memory of 1936	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	explorer.exe
PID 1492 wrote to memory of 1936	1492	dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe	explorer.exe
PID 1740 wrote to memory of 1028	1740	explorer.exe	Cortana.exe
PID 1740 wrote to memory of 1028	1740	explorer.exe	Cortana.exe
PID 1740 wrote to memory of 1028	1740	explorer.exe	Cortana.exe
PID 1740 wrote to memory of 1028	1740	explorer.exe	Cortana.exe
PID 1028 wrote to memory of 2020	1028	Cortana.exe	Cortana.exe
PID 1028 wrote to memory of 2020	1028	Cortana.exe	Cortana.exe
PID 1028 wrote to memory of 2020	1028	Cortana.exe	Cortana.exe
PID 1028 wrote to memory of 2020	1028	Cortana.exe	Cortana.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe
PID 1028 wrote to memory of 1672	1028	Cortana.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe
"C:\Users\Admin\AppData\Local\Temp\dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995.exe" "C:\Users\Admin\AppData\Local\Cortana.exe"
2⤵
PID:1184

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\Cortana.exe"
2⤵
PID:1936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Cortana.exe
"C:\Users\Admin\AppData\Local\Cortana.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Cortana.exe
"C:\Users\Admin\AppData\Local\Cortana.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cortana.exe
Filesize
763KB

MD5
0cd6977068202fb2a7b3ab7c552ec508

SHA1
d012374c33fdb7337412c92f7fa4eb9ad2dd2068

SHA256
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995

SHA512
3a85063893354d7946e3e1a7828592e5319668ce4b732b35376be5039a875d8c1216fd4c823b8d4122f693e5941694fcef382f6ddc1b15c2ba66c63d6c75c2b5

Download Submit
C:\Users\Admin\AppData\Local\Cortana.exe
Filesize
763KB

MD5
0cd6977068202fb2a7b3ab7c552ec508

SHA1
d012374c33fdb7337412c92f7fa4eb9ad2dd2068

SHA256
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995

SHA512
3a85063893354d7946e3e1a7828592e5319668ce4b732b35376be5039a875d8c1216fd4c823b8d4122f693e5941694fcef382f6ddc1b15c2ba66c63d6c75c2b5

Download Submit
C:\Users\Admin\AppData\Local\Cortana.exe
Filesize
763KB

MD5
0cd6977068202fb2a7b3ab7c552ec508

SHA1
d012374c33fdb7337412c92f7fa4eb9ad2dd2068

SHA256
dce3b8f6c67292d33c786fe0e92b9df5c63975c5e89a74fe4115defb56c66995

SHA512
3a85063893354d7946e3e1a7828592e5319668ce4b732b35376be5039a875d8c1216fd4c823b8d4122f693e5941694fcef382f6ddc1b15c2ba66c63d6c75c2b5

Download Submit
memory/1028-67-0x00000000002A0000-0x0000000000362000-memory.dmp

Filesize
776KB

Download
memory/1028-65-0x0000000000000000-mapping.dmp

Download
memory/1184-59-0x0000000000000000-mapping.dmp

Download
memory/1492-55-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/1492-58-0x000000000038B000-0x000000000038E000-memory.dmp

Filesize
12KB

Download
memory/1492-56-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1492-54-0x0000000001320000-0x00000000013E2000-memory.dmp

Filesize
776KB

Download
memory/1492-57-0x000000000039F000-0x00000000003A2000-memory.dmp

Filesize
12KB

Download
memory/1672-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1672-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1672-75-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1672-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1672-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1672-78-0x000000000044943E-mapping.dmp

Download
memory/1672-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1672-82-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1740-63-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1936-60-0x0000000000000000-mapping.dmp

Download
memory/1936-62-0x0000000074E21000-0x0000000074E23000-memory.dmp

Filesize
8KB

Download
memory/2020-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads