quasar | 0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

General

Target

fd9cbccbd2803786c5ea2bf54b22d693.exe
Size

1.0MB
MD5

fd9cbccbd2803786c5ea2bf54b22d693
SHA1

97b675207f5679503f89096e7ae99b38b1bea382
SHA256

0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512

900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
SSDEEP

24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc

Score

10^/10

quasar 1877 spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

1877

C2

overthinker1877.duckdns.org:4545

Mutex

xiBqon3YI4gHicsPTt

Attributes

encryption_key
IshCdNN3oYnjATmMydkq
install_name
1877.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4576-132-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar
C:\Program Files (x86)\1877.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

1877.exe

pid process

4832 1877.exe

pid	process
4832	1877.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd9cbccbd2803786c5ea2bf54b22d693.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	fd9cbccbd2803786c5ea2bf54b22d693.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 ip-api.com
96 ip-api.com

flow	ioc
45	ip-api.com
96	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exe

description	ioc	process
File created	C:\Program Files (x86)\1877.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
File opened for modification	C:\Program Files (x86)\1877.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
File created	C:\Program Files (x86)\1877.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
File opened for modification	C:\Program Files (x86)\1877.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2260 schtasks.exe
4428 schtasks.exe
1568 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2128 PING.EXE

pid	process
2260	schtasks.exe
4428	schtasks.exe
1568	schtasks.exe

pid	process
2128	PING.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

fd9cbccbd2803786c5ea2bf54b22d693.exefd9cbccbd2803786c5ea2bf54b22d693.exe1877.exe

description	pid	process
Token: SeDebugPrivilege	4576	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeDebugPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeDebugPrivilege	4832	1877.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeSecurityPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe
Token: SeBackupPrivilege	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

fd9cbccbd2803786c5ea2bf54b22d693.execmd.exefd9cbccbd2803786c5ea2bf54b22d693.exe1877.exe

description	pid	process	target process
PID 4576 wrote to memory of 2260	4576	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 4576 wrote to memory of 2260	4576	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 4576 wrote to memory of 2260	4576	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 4576 wrote to memory of 1260	4576	fd9cbccbd2803786c5ea2bf54b22d693.exe	cmd.exe
PID 4576 wrote to memory of 1260	4576	fd9cbccbd2803786c5ea2bf54b22d693.exe	cmd.exe
PID 4576 wrote to memory of 1260	4576	fd9cbccbd2803786c5ea2bf54b22d693.exe	cmd.exe
PID 1260 wrote to memory of 3152	1260	cmd.exe	chcp.com
PID 1260 wrote to memory of 3152	1260	cmd.exe	chcp.com
PID 1260 wrote to memory of 3152	1260	cmd.exe	chcp.com
PID 1260 wrote to memory of 2128	1260	cmd.exe	PING.EXE
PID 1260 wrote to memory of 2128	1260	cmd.exe	PING.EXE
PID 1260 wrote to memory of 2128	1260	cmd.exe	PING.EXE
PID 1260 wrote to memory of 1008	1260	cmd.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
PID 1260 wrote to memory of 1008	1260	cmd.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
PID 1260 wrote to memory of 1008	1260	cmd.exe	fd9cbccbd2803786c5ea2bf54b22d693.exe
PID 1008 wrote to memory of 4428	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 1008 wrote to memory of 4428	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 1008 wrote to memory of 4428	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe	schtasks.exe
PID 1008 wrote to memory of 4832	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe	1877.exe
PID 1008 wrote to memory of 4832	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe	1877.exe
PID 1008 wrote to memory of 4832	1008	fd9cbccbd2803786c5ea2bf54b22d693.exe	1877.exe
PID 4832 wrote to memory of 1568	4832	1877.exe	schtasks.exe
PID 4832 wrote to memory of 1568	4832	1877.exe	schtasks.exe
PID 4832 wrote to memory of 1568	4832	1877.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe
"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ponWCq7XIqaf.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3152

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2128

C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe
"C:\Users\Admin\AppData\Local\Temp\fd9cbccbd2803786c5ea2bf54b22d693.exe"
3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4428

C:\Program Files (x86)\1877.exe
"C:\Program Files (x86)\1877.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Program Files (x86)\1877.exe
Filesize
1.0MB

MD5
fd9cbccbd2803786c5ea2bf54b22d693

SHA1
97b675207f5679503f89096e7ae99b38b1bea382

SHA256
0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

SHA512
900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fd9cbccbd2803786c5ea2bf54b22d693.exe.log
Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ponWCq7XIqaf.bat
Filesize
229B

MD5
2832ab38b1a9d2d8191467f1afbbf11e

SHA1
ebb73bb7228073ee1218226dd0ef4b8e99414afa

SHA256
1306bed9ae2a970671239ded78f07188d227df1979df1d47c8714a7f97d8e1d3

SHA512
8a72afe5d69f50f521fb1dd780d16d41730e9abaf9766d743871d6763b709710967ffeb1a0e71b65860f6ccacc3796ec104f4c397988e27923f5961f04f5d3fb

Download Submit
memory/1008-150-0x0000000006BE0000-0x0000000006C7C000-memory.dmp

Filesize
624KB

Download
memory/1008-143-0x0000000000000000-mapping.dmp

Download
memory/1260-139-0x0000000000000000-mapping.dmp

Download
memory/1568-151-0x0000000000000000-mapping.dmp

Download
memory/2128-142-0x0000000000000000-mapping.dmp

Download
memory/2260-138-0x0000000000000000-mapping.dmp

Download
memory/3152-141-0x0000000000000000-mapping.dmp

Download
memory/4428-146-0x0000000000000000-mapping.dmp

Download
memory/4576-137-0x00000000067D0000-0x000000000680C000-memory.dmp

Filesize
240KB

Download
memory/4576-132-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/4576-136-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/4576-135-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/4576-134-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/4576-133-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/4832-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads