quasar | b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34

General

Target

b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe
Size

983KB
MD5

d87b2ef3227b9fa712f51714bbe8e337
SHA1

a06b25c0cf16f967ef40c4832dd43bca88f2147d
SHA256

b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34
SHA512

66fb810ae7d5111a6da552fca4644370a367922583aba20c453d68ce74c6dba0216d418f03683ea50924149e4232d9d2a5708d305f7c5d611feb13b967170716
SSDEEP

24576:Q+tPSg5/YGpKxU8zx+uf8j4L/AlxNemsDSdGsr:XtPS9K8FbUjgAlxNfs+Z

Score

10^/10

quasar test 1 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

test 1

C2

192.168.68.109:8080

Mutex

QSR_MUTEX_mEw8e7d5JFnWElKx6H

Attributes

encryption_key
sh96FHUHgXB5ZJsysAr5
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe	family_quasar
behavioral1/memory/1736-59-0x0000000000970000-0x00000000009CE000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/1160-66-0x00000000009B0000-0x0000000000A0E000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Ifdsjk.exeClient.exe

pid process

1736 Ifdsjk.exe
1160 Client.exe
Loads dropped DLL 1 IoCs

Processes:

Ifdsjk.exe

pid process

1736 Ifdsjk.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1248 schtasks.exe
1960 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Ifdsjk.exeClient.exe

description pid process

Token: SeDebugPrivilege 1736 Ifdsjk.exe
Token: SeDebugPrivilege 1160 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1160 Client.exe

pid	process
1736	Ifdsjk.exe
1160	Client.exe

pid	process
1736	Ifdsjk.exe

flow	ioc
1	ip-api.com

pid	process
1248	schtasks.exe
1960	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1736	Ifdsjk.exe
Token: SeDebugPrivilege	1160	Client.exe

pid	process
1160	Client.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exeIfdsjk.exeClient.exe

description	pid	process	target process
PID 1516 wrote to memory of 1736	1516	b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe	Ifdsjk.exe
PID 1516 wrote to memory of 1736	1516	b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe	Ifdsjk.exe
PID 1516 wrote to memory of 1736	1516	b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe	Ifdsjk.exe
PID 1516 wrote to memory of 1736	1516	b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe	Ifdsjk.exe
PID 1736 wrote to memory of 1248	1736	Ifdsjk.exe	schtasks.exe
PID 1736 wrote to memory of 1248	1736	Ifdsjk.exe	schtasks.exe
PID 1736 wrote to memory of 1248	1736	Ifdsjk.exe	schtasks.exe
PID 1736 wrote to memory of 1248	1736	Ifdsjk.exe	schtasks.exe
PID 1736 wrote to memory of 1160	1736	Ifdsjk.exe	Client.exe
PID 1736 wrote to memory of 1160	1736	Ifdsjk.exe	Client.exe
PID 1736 wrote to memory of 1160	1736	Ifdsjk.exe	Client.exe
PID 1736 wrote to memory of 1160	1736	Ifdsjk.exe	Client.exe
PID 1160 wrote to memory of 1960	1160	Client.exe	schtasks.exe
PID 1160 wrote to memory of 1960	1160	Client.exe	schtasks.exe
PID 1160 wrote to memory of 1960	1160	Client.exe	schtasks.exe
PID 1160 wrote to memory of 1960	1160	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe
"C:\Users\Admin\AppData\Local\Temp\b8ee29fd0c11ec6207bbe44bfb1880e57cd62ebc85480dfa2d301d5ba492ca34.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe
"C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1248

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe
Filesize
348KB

MD5
d9377c1894b735309457007cecd1fa92

SHA1
e3e2409a2e1fdf260b22d5208bf51747f016f572

SHA256
7815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4

SHA512
1577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ifdsjk.exe
Filesize
348KB

MD5
d9377c1894b735309457007cecd1fa92

SHA1
e3e2409a2e1fdf260b22d5208bf51747f016f572

SHA256
7815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4

SHA512
1577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
348KB

MD5
d9377c1894b735309457007cecd1fa92

SHA1
e3e2409a2e1fdf260b22d5208bf51747f016f572

SHA256
7815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4

SHA512
1577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
348KB

MD5
d9377c1894b735309457007cecd1fa92

SHA1
e3e2409a2e1fdf260b22d5208bf51747f016f572

SHA256
7815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4

SHA512
1577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
348KB

MD5
d9377c1894b735309457007cecd1fa92

SHA1
e3e2409a2e1fdf260b22d5208bf51747f016f572

SHA256
7815ef2cee02e24e83e601939d364ddfef3ef7371b35e2cb3d8b290d68e699c4

SHA512
1577932188584e84c2f589c1c2678994955902a1fe0b8158f88471c5ffb093650d437d896211afe04fca3ff75d8db7640ae83b4c41457a105de8fb0aabea8d6e

Download Submit
memory/1160-63-0x0000000000000000-mapping.dmp

Download
memory/1160-66-0x00000000009B0000-0x0000000000A0E000-memory.dmp

Filesize
376KB

Download
memory/1248-61-0x0000000000000000-mapping.dmp

Download
memory/1516-54-0x00000000000C0000-0x00000000001BC000-memory.dmp

Filesize
1008KB

Download
memory/1516-55-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/1736-60-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1736-59-0x0000000000970000-0x00000000009CE000-memory.dmp

Filesize
376KB

Download
memory/1736-56-0x0000000000000000-mapping.dmp

Download
memory/1960-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads