quasar | 0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

General

Target

fd9cbccbd2803786c5ea2bf54b22d693.exe
Size

1.0MB
MD5

fd9cbccbd2803786c5ea2bf54b22d693
SHA1

97b675207f5679503f89096e7ae99b38b1bea382
SHA256

0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512

900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
SSDEEP

24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc

Score

10^/10

quasar 1877 spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

1877

C2

overthinker1877.duckdns.org:4545

Mutex

xiBqon3YI4gHicsPTt

Attributes

encryption_key
IshCdNN3oYnjATmMydkq
install_name
1877.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-54-0x0000000000A50000-0x0000000000B60000-memory.dmp	family_quasar
behavioral1/memory/1292-62-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in Program Files directory 3 IoCs

Processes:

fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exe

description	ioc	process
File created	C:\Program Files (x86)\1877.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
File opened for modification	C:\Program Files (x86)\1877.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
File created	C:\Program Files (x86)\1877.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1116 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

316 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exe

description pid process

Token: SeDebugPrivilege 1748 fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeDebugPrivilege 1292 fd9cbccbd2803786c5ea2bf54b22d693.exe

pid	process
1116	schtasks.exe

pid	process
316	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeDebugPrivilege	1292	fd9cbccbd2803786c5ea2bf54b22d693.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fd9cbccbd2803786c5ea2bf54b22d693.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 1116	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 1748 wrote to memory of 1116	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 1748 wrote to memory of 1116	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 1748 wrote to memory of 1116	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 1748 wrote to memory of 700	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	cmd.exe
PID 1748 wrote to memory of 700	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	cmd.exe
PID 1748 wrote to memory of 700	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	cmd.exe
PID 1748 wrote to memory of 700	1748	fd9cbccbd2803786c5ea2bf54b22d693.exe	cmd.exe
PID 700 wrote to memory of 1576	700	cmd.exe	chcp.com
PID 700 wrote to memory of 1576	700	cmd.exe	chcp.com
PID 700 wrote to memory of 1576	700	cmd.exe	chcp.com
PID 700 wrote to memory of 1576	700	cmd.exe	chcp.com
PID 700 wrote to memory of 316	700	cmd.exe	PING.EXE
PID 700 wrote to memory of 316	700	cmd.exe	PING.EXE
PID 700 wrote to memory of 316	700	cmd.exe	PING.EXE
PID 700 wrote to memory of 316	700	cmd.exe	PING.EXE
PID 700 wrote to memory of 1292	700	cmd.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
PID 700 wrote to memory of 1292	700	cmd.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
PID 700 wrote to memory of 1292	700	cmd.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
PID 700 wrote to memory of 1292	700	cmd.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe

C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe
"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MtYop1MxI3MZ.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1576

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:316

C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe
"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"
3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MtYop1MxI3MZ.bat
Filesize
229B

MD5
b8b86733b944b25212f576554f15112f

SHA1
8591e58c395d2d8c826f59f322459bd69a98695a

SHA256
286e70ce8893fa3831a7a81e9cd95bab91d6bd9a85376cc3c996e319ce36980c

SHA512
18b6e360b655afd0aae8652631babd3c36cab34a04c62c2059ad28ecd704b68fbe7dd32fd85c87c23ec3db8c1301623b4588bccbcdfa8d477534384821c12a6d

Download Submit
memory/316-60-0x0000000000000000-mapping.dmp

Download
memory/700-57-0x0000000000000000-mapping.dmp

Download
memory/1116-56-0x0000000000000000-mapping.dmp

Download
memory/1292-61-0x0000000000000000-mapping.dmp

Download
memory/1292-62-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/1576-59-0x0000000000000000-mapping.dmp

Download
memory/1748-54-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/1748-55-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads