quasar | bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1

Analysis

max time kernel
145s
max time network
302s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
Size

1.7MB
MD5

be5deb4eb43a1b071f8a2224787b4986
SHA1

ad145fe797c4fadfaec2f29146bd70d35f820d11
SHA256

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1
SHA512

dd55a9cf9acfe26379bf469337b7ea8ace697a6430eab44cf5aa9b9afa6667ab59faa6100ce78c9e7cef1f7b04b25ef729c6c9dbd61ce7ef45a17bf17d9aa668
SSDEEP

24576:PUxJIRCRoenYQb6VOJ8Kgn1beVuumyEU:

Score

10^/10

quasar cio persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Cio

162.19.131.197:4782

Mutex

c5fdf017-8f44-47ea-a69e-0b82e4044ca7

Attributes

encryption_key
59A92039F951E5069C9F50FD9F340E759713B058
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5004-273-0x000000000047E79E-mapping.dmp	family_quasar
behavioral2/memory/5004-308-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jlnprgcxco = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eqbuy\\Jlnprgcxco.exe\""	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org

flow	ioc
8	api.ipify.org
9	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

description	pid	process	target process
PID 2716 set thread context of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exepowershell.exe

pid process

2716 bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
4064 powershell.exe
4064 powershell.exe
4064 powershell.exe

pid	process
2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
4064	powershell.exe
4064	powershell.exe
4064	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exepowershell.exebace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

description	pid	process
Token: SeDebugPrivilege	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	5004	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

pid process

5004 bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

pid	process
5004	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

description	pid	process	target process
PID 2716 wrote to memory of 4064	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	powershell.exe
PID 2716 wrote to memory of 4064	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	powershell.exe
PID 2716 wrote to memory of 4064	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	powershell.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
PID 2716 wrote to memory of 5004	2716	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe	bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe

C:\Users\Admin\AppData\Local\Temp\bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
"C:\Users\Admin\AppData\Local\Temp\bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Users\Admin\AppData\Local\Temp\bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
C:\Users\Admin\AppData\Local\Temp\bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bace836593264e31d5df7ea8adca4ef4536859addaa2819f5f63a76266cd07a1.exe.log
Filesize
1KB

MD5
5c01a57bb6376dc958d99ed7a67870ff

SHA1
d092c7dfd148ac12b086049d215e6b00bd78628d

SHA256
cb8fd245425e915bfc5ff411f26303f7cb4a30ed37f2ea4a2f0a12501aa5f2a4

SHA512
e4e3a4b74f8e209573cce58b572c1f71653e6f4df98f98c5a1cecdf76c9ffb91d5e6994c89df41c9f3613a0584301a56ca922ab7497a434e108b28dcd7d33038

Download Submit
memory/2716-116-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-123-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-148-0x0000000000800000-0x00000000009C0000-memory.dmp

Filesize
1.8MB

Download
memory/2716-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-156-0x0000000005250000-0x0000000005332000-memory.dmp

Filesize
904KB

Download
memory/2716-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-158-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-159-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/2716-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-164-0x0000000005D10000-0x0000000005D32000-memory.dmp

Filesize
136KB

Download
memory/2716-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-166-0x0000000005D40000-0x0000000006090000-memory.dmp

Filesize
3.3MB

Download
memory/2716-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-180-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-183-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-184-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4064-185-0x0000000000000000-mapping.dmp

Download
memory/4064-221-0x0000000004600000-0x0000000004636000-memory.dmp

Filesize
216KB

Download
memory/4064-226-0x00000000071E0000-0x0000000007808000-memory.dmp

Filesize
6.2MB

Download
memory/4064-245-0x0000000007120000-0x0000000007186000-memory.dmp

Filesize
408KB

Download
memory/4064-246-0x0000000007880000-0x00000000078E6000-memory.dmp

Filesize
408KB

Download
memory/4064-249-0x0000000007840000-0x000000000785C000-memory.dmp

Filesize
112KB

Download
memory/4064-250-0x0000000008140000-0x000000000818B000-memory.dmp

Filesize
300KB

Download
memory/4064-254-0x0000000008190000-0x0000000008206000-memory.dmp

Filesize
472KB

Download
memory/4064-265-0x0000000009810000-0x0000000009E88000-memory.dmp

Filesize
6.5MB

Download
memory/4064-266-0x0000000008F50000-0x0000000008F6A000-memory.dmp

Filesize
104KB

Download
memory/5004-273-0x000000000047E79E-mapping.dmp

Download
memory/5004-308-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5004-312-0x0000000005C30000-0x000000000612E000-memory.dmp

Filesize
5.0MB

Download
memory/5004-313-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/5004-330-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/5004-334-0x0000000006A40000-0x0000000007046000-memory.dmp

Filesize
6.0MB

Download
memory/5004-336-0x0000000005B70000-0x0000000005BC0000-memory.dmp

Filesize
320KB

Download
memory/5004-337-0x00000000065B0000-0x0000000006662000-memory.dmp

Filesize
712KB

Download