quasar | f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57

General

Target

f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
Size

347KB
MD5

0c7b4927d8473e50866b28bc6ec37c07
SHA1

ccc11ecdbce975a18b9a673d4adbcff48168af12
SHA256

f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57
SHA512

6979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07
SSDEEP

6144:4dSz2Hgw9AHLrTfBkuaFnXDtcCy13o6w2uu7z7SYSb04sqvgJADBd/xz/:kUsAHLrTfBkuaFnXDtcCyrw2uu7zdplE

Score

10^/10

quasar system spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

system

C2

106.12.192.231:4782

Mutex

QSR_MUTEX_j15VAOgMonMS1ue4Db

Attributes

encryption_key
R2b2TrZWSxj5VWSKaHoD
install_name
system.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
.WINDOWS

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-54-0x0000000000290000-0x00000000002EE000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\.WINDOWS\system.exe	family_quasar
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe	family_quasar
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe	family_quasar
behavioral1/memory/1448-61-0x0000000000C70000-0x0000000000CCE000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

1448 system.exe
Loads dropped DLL 1 IoCs

Processes:

f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe

pid process

1680 f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1988 schtasks.exe
1456 schtasks.exe

pid	process
1448	system.exe

pid	process
1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe

flow	ioc
1	ip-api.com

pid	process
1988	schtasks.exe
1456	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
Token: SeDebugPrivilege	1448	system.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

system.exe

pid process

1448 system.exe

pid	process
1448	system.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exesystem.exe

description	pid	process	target process
PID 1680 wrote to memory of 1988	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	schtasks.exe
PID 1680 wrote to memory of 1988	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	schtasks.exe
PID 1680 wrote to memory of 1988	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	schtasks.exe
PID 1680 wrote to memory of 1988	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	schtasks.exe
PID 1680 wrote to memory of 1448	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	system.exe
PID 1680 wrote to memory of 1448	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	system.exe
PID 1680 wrote to memory of 1448	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	system.exe
PID 1680 wrote to memory of 1448	1680	f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe	system.exe
PID 1448 wrote to memory of 1456	1448	system.exe	schtasks.exe
PID 1448 wrote to memory of 1456	1448	system.exe	schtasks.exe
PID 1448 wrote to memory of 1456	1448	system.exe	schtasks.exe
PID 1448 wrote to memory of 1456	1448	system.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe
"C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1988

C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe
"C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe
Filesize
347KB

MD5
0c7b4927d8473e50866b28bc6ec37c07

SHA1
ccc11ecdbce975a18b9a673d4adbcff48168af12

SHA256
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57

SHA512
6979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07

Download Submit
C:\Users\Admin\AppData\Roaming\.WINDOWS\system.exe
Filesize
347KB

MD5
0c7b4927d8473e50866b28bc6ec37c07

SHA1
ccc11ecdbce975a18b9a673d4adbcff48168af12

SHA256
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57

SHA512
6979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07

Download Submit
\Users\Admin\AppData\Roaming\.WINDOWS\system.exe
Filesize
347KB

MD5
0c7b4927d8473e50866b28bc6ec37c07

SHA1
ccc11ecdbce975a18b9a673d4adbcff48168af12

SHA256
f0196c77923649dad5a31d766fbef2ccb35cacebb44c76cd934f14c83e09ff57

SHA512
6979018af30d5635e8f3a9272ab61fed921a94178e6d5aa72b8159791eca2f259ee8a8ba257ec89b955e6ba192f1320850f9652153815c427d0ba68ef5142f07

Download Submit
memory/1448-58-0x0000000000000000-mapping.dmp

Download
memory/1448-61-0x0000000000C70000-0x0000000000CCE000-memory.dmp

Filesize
376KB

Download
memory/1456-63-0x0000000000000000-mapping.dmp

Download
memory/1680-54-0x0000000000290000-0x00000000002EE000-memory.dmp

Filesize
376KB

Download
memory/1680-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1988-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads