quasar | 3c22aced502398a94ad0c44fbdb1eb78e96a500e39af497ff6c7a9f9c512ef25

General

Target

Remover.bat
Size

4.4MB
MD5

f3aa3ff4c657d03f217b05e3de5cfe0f
SHA1

f39fe9fecd327901aceb32d55979fb49300a907a
SHA256

3c22aced502398a94ad0c44fbdb1eb78e96a500e39af497ff6c7a9f9c512ef25
SHA512

99ef3dba1ccd41f4284a2026edd400acff7ec0fb13652e8da71a17417a2c7ed571a227559b3f7b5991f7aa79cd883d14cd6cf17582095633597ed826ffcdd637
SSDEEP

24576:DuFAc9dtV23GygMMgqMPGBpQdLZF4VxNB6bu6T4Llm8H2fNjx/YNcQq3NON5BOze:ppgMlWQojUWxw94oa

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

5.180.180.66:4782

Mutex

28d5f0ab-9c9d-4762-9e41-3c5ccbfcffae

Attributes

encryption_key
5484AD7AC17743300FB1AC39869E7C36DF7762A0
install_name
MicrosoftEdge.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Edge
subdirectory
Edge

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kdot.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\kdot.exe	family_quasar
behavioral2/memory/3960-152-0x0000000000820000-0x0000000000B44000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

kdot.exeMicrosoftEdge.exe

pid process

3960 kdot.exe
2052 MicrosoftEdge.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1436 schtasks.exe
1312 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1648 powershell.exe
1648 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exekdot.exeMicrosoftEdge.exe

description pid process

Token: SeDebugPrivilege 1648 powershell.exe
Token: SeDebugPrivilege 3960 kdot.exe
Token: SeDebugPrivilege 2052 MicrosoftEdge.exe

pid	process
3960	kdot.exe
2052	MicrosoftEdge.exe

pid	process
1436	schtasks.exe
1312	schtasks.exe

pid	process
1648	powershell.exe
1648	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	3960	kdot.exe
Token: SeDebugPrivilege	2052	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exekdot.exeMicrosoftEdge.exe

description	pid	process	target process
PID 4632 wrote to memory of 596	4632	cmd.exe	chcp.com
PID 4632 wrote to memory of 596	4632	cmd.exe	chcp.com
PID 4632 wrote to memory of 1648	4632	cmd.exe	powershell.exe
PID 4632 wrote to memory of 1648	4632	cmd.exe	powershell.exe
PID 4632 wrote to memory of 3960	4632	cmd.exe	kdot.exe
PID 4632 wrote to memory of 3960	4632	cmd.exe	kdot.exe
PID 3960 wrote to memory of 1312	3960	kdot.exe	schtasks.exe
PID 3960 wrote to memory of 1312	3960	kdot.exe	schtasks.exe
PID 3960 wrote to memory of 2052	3960	kdot.exe	MicrosoftEdge.exe
PID 3960 wrote to memory of 2052	3960	kdot.exe	MicrosoftEdge.exe
PID 2052 wrote to memory of 1436	2052	MicrosoftEdge.exe	schtasks.exe
PID 2052 wrote to memory of 1436	2052	MicrosoftEdge.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Remover.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$base64_last_line = Get-Content C:\Users\Admin\AppData\Local\Temp\Remover.bat | Select-Object -Last 1 ; $bytes = [System.Convert]::FromBase64String($base64_last_line) ; [System.IO.File]::WriteAllBytes('C:\Users\Admin\AppData\Local\Temp\\kdot.exe', $bytes)"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Local\Temp\kdot.exe
C:\Users\Admin\AppData\Local\Temp\\kdot.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1312

C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe
"C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpea5cxl.soz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdot.exe

Filesize
3.1MB

MD5
a82b356930eaae7790a19493f9e31165

SHA1
59c7fafae9c9f599659461cb9b1e3922547c1b2e

SHA256
af2dcb3d2a1e0cdf1826446f07a80bb0265a17923084b5d339f12c0073cec315

SHA512
c24137c76f68d479445aea3a4fdb0f13bfd10311c3be7baa9d46626aec3ff46bfc317b3d96eb9bd46f1c637fdb0218e2146ddb8dff50f53850feeec69f8704b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdot.exe

Filesize
3.1MB

MD5
a82b356930eaae7790a19493f9e31165

SHA1
59c7fafae9c9f599659461cb9b1e3922547c1b2e

SHA256
af2dcb3d2a1e0cdf1826446f07a80bb0265a17923084b5d339f12c0073cec315

SHA512
c24137c76f68d479445aea3a4fdb0f13bfd10311c3be7baa9d46626aec3ff46bfc317b3d96eb9bd46f1c637fdb0218e2146ddb8dff50f53850feeec69f8704b5

Download Submit
C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe

Filesize
3.1MB

MD5
a82b356930eaae7790a19493f9e31165

SHA1
59c7fafae9c9f599659461cb9b1e3922547c1b2e

SHA256
af2dcb3d2a1e0cdf1826446f07a80bb0265a17923084b5d339f12c0073cec315

SHA512
c24137c76f68d479445aea3a4fdb0f13bfd10311c3be7baa9d46626aec3ff46bfc317b3d96eb9bd46f1c637fdb0218e2146ddb8dff50f53850feeec69f8704b5

Download Submit
C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe

Filesize
3.1MB

MD5
a82b356930eaae7790a19493f9e31165

SHA1
59c7fafae9c9f599659461cb9b1e3922547c1b2e

SHA256
af2dcb3d2a1e0cdf1826446f07a80bb0265a17923084b5d339f12c0073cec315

SHA512
c24137c76f68d479445aea3a4fdb0f13bfd10311c3be7baa9d46626aec3ff46bfc317b3d96eb9bd46f1c637fdb0218e2146ddb8dff50f53850feeec69f8704b5

Download Submit
C:\Users\Admin\AppData\Roaming\Edge\MicrosoftEdge.exe

Filesize
3.1MB

MD5
a82b356930eaae7790a19493f9e31165

SHA1
59c7fafae9c9f599659461cb9b1e3922547c1b2e

SHA256
af2dcb3d2a1e0cdf1826446f07a80bb0265a17923084b5d339f12c0073cec315

SHA512
c24137c76f68d479445aea3a4fdb0f13bfd10311c3be7baa9d46626aec3ff46bfc317b3d96eb9bd46f1c637fdb0218e2146ddb8dff50f53850feeec69f8704b5

Download Submit
memory/1648-139-0x00000252FE5F0000-0x00000252FE612000-memory.dmp

Filesize
136KB

Download
memory/1648-144-0x0000025280110000-0x0000025280120000-memory.dmp

Filesize
64KB

Download
memory/1648-143-0x0000025280110000-0x0000025280120000-memory.dmp

Filesize
64KB

Download
memory/1648-145-0x0000025280110000-0x0000025280120000-memory.dmp

Filesize
64KB

Download
memory/2052-160-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download
memory/2052-161-0x0000000003160000-0x00000000031B0000-memory.dmp

Filesize
320KB

Download
memory/2052-162-0x000000001C490000-0x000000001C542000-memory.dmp

Filesize
712KB

Download
memory/2052-163-0x00000000031B0000-0x00000000031C2000-memory.dmp

Filesize
72KB

Download
memory/2052-164-0x000000001BC30000-0x000000001BC6C000-memory.dmp

Filesize
240KB

Download
memory/2052-165-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download
memory/3960-153-0x000000001B810000-0x000000001B820000-memory.dmp

Filesize
64KB

Download
memory/3960-152-0x0000000000820000-0x0000000000B44000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads