quasar | 191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8

General

Target

quasar_clean.exe
Size

376KB
MD5

1e9ac0b5547b0fa980e4ee8529677be5
SHA1

c25c80b4325218cd8e4f4ca11e404293829963f2
SHA256

191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8
SHA512

e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5
SSDEEP

6144:B8NHXf500M+4EFC4KQk7lKxbvY67CACSerymKtwe:6d50yAQlbCjSerymmwe

Score

10^/10

quasar top spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

top

C2

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_NKzsG6279pND1MmPDw

Attributes

encryption_key
6c7zzdS2IXrGaCb9wrMU
install_name
tors.exe
log_directory
Logs
reconnect_delay
5000
startup_key
tdm
subdirectory
tilk

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-54-0x0000000000380000-0x00000000003DE000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\tilk\tors.exe	family_quasar
C:\Users\Admin\AppData\Roaming\tilk\tors.exe	family_quasar
C:\Users\Admin\AppData\Roaming\tilk\tors.exe	family_quasar
behavioral1/memory/992-61-0x0000000000BC0000-0x0000000000C1E000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

tors.exe

pid process

992 tors.exe
Loads dropped DLL 1 IoCs

Processes:

quasar_clean.exe

pid process

1956 quasar_clean.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1156 schtasks.exe
1676 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

quasar_clean.exetors.exe

description pid process

Token: SeDebugPrivilege 1956 quasar_clean.exe
Token: SeDebugPrivilege 992 tors.exe

pid	process
992	tors.exe

pid	process
1956	quasar_clean.exe

flow	ioc
1	ip-api.com

pid	process
1156	schtasks.exe
1676	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1956	quasar_clean.exe
Token: SeDebugPrivilege	992	tors.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

quasar_clean.exetors.exe

description	pid	process	target process
PID 1956 wrote to memory of 1156	1956	quasar_clean.exe	schtasks.exe
PID 1956 wrote to memory of 1156	1956	quasar_clean.exe	schtasks.exe
PID 1956 wrote to memory of 1156	1956	quasar_clean.exe	schtasks.exe
PID 1956 wrote to memory of 1156	1956	quasar_clean.exe	schtasks.exe
PID 1956 wrote to memory of 992	1956	quasar_clean.exe	tors.exe
PID 1956 wrote to memory of 992	1956	quasar_clean.exe	tors.exe
PID 1956 wrote to memory of 992	1956	quasar_clean.exe	tors.exe
PID 1956 wrote to memory of 992	1956	quasar_clean.exe	tors.exe
PID 992 wrote to memory of 1676	992	tors.exe	schtasks.exe
PID 992 wrote to memory of 1676	992	tors.exe	schtasks.exe
PID 992 wrote to memory of 1676	992	tors.exe	schtasks.exe
PID 992 wrote to memory of 1676	992	tors.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe
"C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\quasar_clean.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1156

C:\Users\Admin\AppData\Roaming\tilk\tors.exe
"C:\Users\Admin\AppData\Roaming\tilk\tors.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "tdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\tilk\tors.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
376KB

MD5
1e9ac0b5547b0fa980e4ee8529677be5

SHA1
c25c80b4325218cd8e4f4ca11e404293829963f2

SHA256
191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8

SHA512
e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5

Download Submit
C:\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
376KB

MD5
1e9ac0b5547b0fa980e4ee8529677be5

SHA1
c25c80b4325218cd8e4f4ca11e404293829963f2

SHA256
191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8

SHA512
e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5

Download Submit
\Users\Admin\AppData\Roaming\tilk\tors.exe
Filesize
376KB

MD5
1e9ac0b5547b0fa980e4ee8529677be5

SHA1
c25c80b4325218cd8e4f4ca11e404293829963f2

SHA256
191e85b65efedab77e67bdaa3a4aad1915f0fa991c1858b359d8a92c679206a8

SHA512
e86c50705690191ab37f84d9c9675e8c820d9dee9bc9b54dba689c0bcfe9a55d8faf0ade793c01eaa5a66a60741e4794d884d9f140126a58f0388faaa9c85ec5

Download Submit
memory/992-58-0x0000000000000000-mapping.dmp

Download
memory/992-61-0x0000000000BC0000-0x0000000000C1E000-memory.dmp

Filesize
376KB

Download
memory/1156-56-0x0000000000000000-mapping.dmp

Download
memory/1676-63-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000000380000-0x00000000003DE000-memory.dmp

Filesize
376KB

Download
memory/1956-55-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads