quasar | 0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7

Analysis

max time kernel
169s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.0MB
MD5

fd9cbccbd2803786c5ea2bf54b22d693
SHA1

97b675207f5679503f89096e7ae99b38b1bea382
SHA256

0e01c7577cb631dc13248dcc5da5fedc957747244a1ed10783027431ac1731b7
SHA512

900fb67bf952111fbfd9eb494afa3fb119cc0d6db782a4b2be9cb9228ba6ee1723bb1ccd5835ac7e5b248e005cde7f84a1c59cf01d7bf2f81e3cc819e69293c1
SSDEEP

24576:1LY5kMJDyGouUqg75HVDBvdJ9x5LESqRel+kvujSZGp:x4kMJDyGouUqg75HVDBvdzESqRelDvuc

Score

10^/10

quasar 1877 spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

1877

overthinker1877.duckdns.org:4545

Mutex

xiBqon3YI4gHicsPTt

Attributes

encryption_key
IshCdNN3oYnjATmMydkq
install_name
1877.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1384-132-0x00000000007A0000-0x00000000008B0000-memory.dmp	family_quasar

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 ip-api.com
68 api.ipify.org
Drops file in Program Files directory 2 IoCs

Processes:

tmp.exe

description ioc process

File created C:\Program Files (x86)\1877.exe tmp.exe
File opened for modification C:\Program Files (x86)\1877.exe tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4948 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 1384 tmp.exe

flow	ioc
46	ip-api.com
68	api.ipify.org

description	ioc	process
File created	C:\Program Files (x86)\1877.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\1877.exe	tmp.exe

pid	process
4948	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1384	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1384 wrote to memory of 4948	1384	tmp.exe	schtasks.exe
PID 1384 wrote to memory of 4948	1384	tmp.exe	schtasks.exe
PID 1384 wrote to memory of 4948	1384	tmp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Program Files (x86)\1877.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-132-0x00000000007A0000-0x00000000008B0000-memory.dmp

Filesize
1.1MB

Download
memory/1384-133-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/1384-134-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/1384-135-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/1384-136-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/4948-137-0x0000000000000000-mapping.dmp

Download