quasar | 84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1

Analysis

max time kernel
91s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.8MB
MD5

c41aa4383be3c790c15b89ac0b52a046
SHA1

0544bd37de62b386fa2ad5d3511e30b6c62c7f97
SHA256

84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1
SHA512

b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc
SSDEEP

49152:3AA1/64VAI5jOkaEiJFc5+DOyUfnEza32ehyfTbBDm:3Aq/64VAI5ixEiJFbmIBa

Score

10^/10

quasar cheats spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Cheats

anubisgod.duckdns.org:1338

Mutex

6f2a7175-754c-4ce5-a610-2f8866732c05

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
dlscord.exe
log_directory
dlscordLogs
reconnect_delay
3000
startup_key
dlscord
subdirectory
dlscord

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4460-132-0x0000000000E50000-0x000000000111A000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe	family_quasar
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

dlscord.exe

pid process

4964 dlscord.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
24 api.ipify.org
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4724 schtasks.exe
3192 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exedlscord.exe

description pid process

Token: SeDebugPrivilege 4460 tmp.exe
Token: SeDebugPrivilege 4964 dlscord.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dlscord.exe

pid process

4964 dlscord.exe

pid	process
4964	dlscord.exe

flow	ioc
23	api.ipify.org
24	api.ipify.org

pid	process
4724	schtasks.exe
3192	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4460	tmp.exe
Token: SeDebugPrivilege	4964	dlscord.exe

pid	process
4964	dlscord.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

tmp.exedlscord.exe

description	pid	process	target process
PID 4460 wrote to memory of 3192	4460	tmp.exe	schtasks.exe
PID 4460 wrote to memory of 3192	4460	tmp.exe	schtasks.exe
PID 4460 wrote to memory of 4964	4460	tmp.exe	dlscord.exe
PID 4460 wrote to memory of 4964	4460	tmp.exe	dlscord.exe
PID 4964 wrote to memory of 4724	4964	dlscord.exe	schtasks.exe
PID 4964 wrote to memory of 4724	4964	dlscord.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\tmp.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3192

C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
"C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
Filesize
2.8MB

MD5
c41aa4383be3c790c15b89ac0b52a046

SHA1
0544bd37de62b386fa2ad5d3511e30b6c62c7f97

SHA256
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1

SHA512
b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc

Download Submit
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
Filesize
2.8MB

MD5
c41aa4383be3c790c15b89ac0b52a046

SHA1
0544bd37de62b386fa2ad5d3511e30b6c62c7f97

SHA256
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1

SHA512
b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc

Download Submit
memory/3192-134-0x0000000000000000-mapping.dmp

Download
memory/4460-132-0x0000000000E50000-0x000000000111A000-memory.dmp

Filesize
2.8MB

Download
memory/4460-133-0x00007FF83C5A0000-0x00007FF83D061000-memory.dmp

Filesize
10.8MB

Download
memory/4460-138-0x00007FF83C5A0000-0x00007FF83D061000-memory.dmp

Filesize
10.8MB

Download
memory/4724-140-0x0000000000000000-mapping.dmp

Download
memory/4964-135-0x0000000000000000-mapping.dmp

Download
memory/4964-139-0x00007FF83C5A0000-0x00007FF83D061000-memory.dmp

Filesize
10.8MB

Download
memory/4964-141-0x000000001B460000-0x000000001B4B0000-memory.dmp

Filesize
320KB

Download
memory/4964-142-0x000000001C930000-0x000000001C9E2000-memory.dmp

Filesize
712KB

Download
memory/4964-143-0x00007FF83C5A0000-0x00007FF83D061000-memory.dmp

Filesize
10.8MB

Download