quasar | 8386ce0e691153f7de97e4903b8b9955beca49b1abfd1f3b5613a77f4073f4d8

Analysis

max time kernel
77s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe
Size

502KB
MD5

2e8dde7817c9438c831c39d470507dda
SHA1

34bc8c79ddf3960c9a6a6604e9d8293b685a2fc7
SHA256

8386ce0e691153f7de97e4903b8b9955beca49b1abfd1f3b5613a77f4073f4d8
SHA512

0eb6f58097cf7d13d996c50e74429a525899c8766666772707730685a19472e09c7a1a46de67065cd85f06701fe3678f40923b828cea67ed5efd703232ef2f67
SSDEEP

6144:RTEgdc0YWX7IxUpGREWVwGzubzjKlh/EKpxwQHocE0Db8F9v+xPo8hf3cTR3e:RTEgdfY3xUKwfb0Rxwk44O8hf3cde

Score

10^/10

quasar 8882 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

8882

me.hansang.me:808

Mutex

5f609853-86c8-4cdd-a225-1f2ab545a652

Attributes

encryption_key
D79EFEAF55C90AEA4C0EB53B87A66A499BADB764
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/memory/1952-133-0x0000000000DC0000-0x0000000000E44000-memory.dmp	family_quasar
behavioral2/files/0x0001000000023105-137.dat	family_quasar
behavioral2/files/0x0001000000023105-138.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
228	svchost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.ipify.org
28	api.ipify.org

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system32\SubDir	svchost.exe
File created	C:\Windows\system32\SubDir\svchost.exe	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe
File opened for modification	C:\Windows\system32\SubDir	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3252	schtasks.exe
1740	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe
Token: SeDebugPrivilege	228	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3252	1952	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe	86
PID 1952 wrote to memory of 3252	1952	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe	86
PID 1952 wrote to memory of 228	1952	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe	88
PID 1952 wrote to memory of 228	1952	8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe	88
PID 228 wrote to memory of 1740	228	svchost.exe	92
PID 228 wrote to memory of 1740	228	svchost.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe
"C:\Users\Admin\AppData\Local\Temp\8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svchost Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8386CE0E691153F7DE97E4903B8B9955BECA49B1ABFD1.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3252
- C:\Windows\system32\SubDir\svchost.exe
  "C:\Windows\system32\SubDir\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\svchost.exe

Filesize
502KB

MD5
2e8dde7817c9438c831c39d470507dda

SHA1
34bc8c79ddf3960c9a6a6604e9d8293b685a2fc7

SHA256
8386ce0e691153f7de97e4903b8b9955beca49b1abfd1f3b5613a77f4073f4d8

SHA512
0eb6f58097cf7d13d996c50e74429a525899c8766666772707730685a19472e09c7a1a46de67065cd85f06701fe3678f40923b828cea67ed5efd703232ef2f67

Download Submit
C:\Windows\system32\SubDir\svchost.exe

Filesize
502KB

MD5
2e8dde7817c9438c831c39d470507dda

SHA1
34bc8c79ddf3960c9a6a6604e9d8293b685a2fc7

SHA256
8386ce0e691153f7de97e4903b8b9955beca49b1abfd1f3b5613a77f4073f4d8

SHA512
0eb6f58097cf7d13d996c50e74429a525899c8766666772707730685a19472e09c7a1a46de67065cd85f06701fe3678f40923b828cea67ed5efd703232ef2f67

Download Submit
memory/228-140-0x000000001D7B0000-0x000000001D800000-memory.dmp

Filesize
320KB

Download
memory/228-141-0x000000001DDD0000-0x000000001DE82000-memory.dmp

Filesize
712KB

Download
memory/1952-133-0x0000000000DC0000-0x0000000000E44000-memory.dmp

Filesize
528KB

Download
memory/1952-134-0x000000001D070000-0x000000001D080000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads