quasar | 0809e0c6095acabdcb816728c39fc818741c3197c4635d7a53a926f2f8df7557

General

Target

ren_installer.exe
Size

3.1MB
MD5

10c9f8a8e8c8c9797643d9b1edb01cc1
SHA1

defcd4e8bba01bb730572dff40fad78e053f337a
SHA256

0809e0c6095acabdcb816728c39fc818741c3197c4635d7a53a926f2f8df7557
SHA512

a3c1e18ed24bcc03385a6cb7e50bae9c475c93f0a9af88ac731e9c1923b314ea60e79bd4b9b420b31050ea2d67ac6746cb7d3b2edba7056e91fd665f12311849
SSDEEP

49152:+vgt62XlaSFNWPjljiFa2RoUYI3vLroGd4THHB72eh2NT:+vM62XlaSFNWPjljiFXRoUYI3vf

Score

10^/10

quasar reservices spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ReServices

C2

185.65.134.175:55498

Mutex

86e242cc-399d-4e30-a743-e89f0418f106

Attributes

encryption_key
B451C26057A2AEFC83990793720D2316EA48C49A
install_name
renservice.exe
log_directory
Logs
reconnect_delay
3000
startup_key
renservice
subdirectory
servicerenk

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-133-0x0000000000A80000-0x0000000000DA4000-memory.dmp	family_quasar
C:\Windows\System32\servicerenk\renservice.exe	family_quasar
C:\Windows\system32\servicerenk\renservice.exe	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

renservice.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	renservice.exe

Executes dropped EXE 1 IoCs

Processes:

renservice.exe

pid process

4520 renservice.exe

pid	process
4520	renservice.exe

Drops file in System32 directory 5 IoCs

Processes:

ren_installer.exerenservice.exe

description	ioc	process
File opened for modification	C:\Windows\system32\servicerenk\renservice.exe	ren_installer.exe
File opened for modification	C:\Windows\system32\servicerenk	ren_installer.exe
File opened for modification	C:\Windows\system32\servicerenk\renservice.exe	renservice.exe
File opened for modification	C:\Windows\system32\servicerenk	renservice.exe
File created	C:\Windows\system32\servicerenk\renservice.exe	ren_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3452 schtasks.exe
884 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

980 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ren_installer.exerenservice.exe

description pid process

Token: SeDebugPrivilege 4848 ren_installer.exe
Token: SeDebugPrivilege 4520 renservice.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

renservice.exe

pid process

4520 renservice.exe
4520 renservice.exe
4520 renservice.exe
4520 renservice.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

renservice.exe

pid process

4520 renservice.exe
4520 renservice.exe
4520 renservice.exe
4520 renservice.exe

pid	process
3452	schtasks.exe
884	schtasks.exe

pid	process
980	PING.EXE

description	pid	process
Token: SeDebugPrivilege	4848	ren_installer.exe
Token: SeDebugPrivilege	4520	renservice.exe

pid	process
4520	renservice.exe
4520	renservice.exe
4520	renservice.exe
4520	renservice.exe

pid	process
4520	renservice.exe
4520	renservice.exe
4520	renservice.exe
4520	renservice.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ren_installer.exerenservice.execmd.execmd.exe

description	pid	process	target process
PID 4848 wrote to memory of 3452	4848	ren_installer.exe	schtasks.exe
PID 4848 wrote to memory of 3452	4848	ren_installer.exe	schtasks.exe
PID 4848 wrote to memory of 4520	4848	ren_installer.exe	renservice.exe
PID 4848 wrote to memory of 4520	4848	ren_installer.exe	renservice.exe
PID 4520 wrote to memory of 884	4520	renservice.exe	schtasks.exe
PID 4520 wrote to memory of 884	4520	renservice.exe	schtasks.exe
PID 4520 wrote to memory of 3668	4520	renservice.exe	cmd.exe
PID 4520 wrote to memory of 3668	4520	renservice.exe	cmd.exe
PID 3668 wrote to memory of 452	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 452	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 2632	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 2632	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 4484	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 4484	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 4876	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 4876	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 5092	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 5092	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 1236	3668	cmd.exe	cmd.exe
PID 3668 wrote to memory of 1236	3668	cmd.exe	cmd.exe
PID 4520 wrote to memory of 4472	4520	renservice.exe	schtasks.exe
PID 4520 wrote to memory of 4472	4520	renservice.exe	schtasks.exe
PID 4520 wrote to memory of 4748	4520	renservice.exe	cmd.exe
PID 4520 wrote to memory of 4748	4520	renservice.exe	cmd.exe
PID 4748 wrote to memory of 752	4748	cmd.exe	chcp.com
PID 4748 wrote to memory of 752	4748	cmd.exe	chcp.com
PID 4748 wrote to memory of 980	4748	cmd.exe	PING.EXE
PID 4748 wrote to memory of 980	4748	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ren_installer.exe
"C:\Users\Admin\AppData\Local\Temp\ren_installer.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "renservice" /sc ONLOGON /tr "C:\Windows\system32\servicerenk\renservice.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\servicerenk\renservice.exe
"C:\Windows\system32\servicerenk\renservice.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "renservice" /sc ONLOGON /tr "C:\Windows\system32\servicerenk\renservice.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:884

C:\Windows\SYSTEM32\cmd.exe
"cmd" /K CHCP 437
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\chcp.com
CHCP 437
4⤵
PID:452

C:\Windows\system32\cmd.exe
cmd.exe
4⤵
PID:2632

C:\Windows\system32\cmd.exe
cmd.exe
4⤵
PID:4484

C:\Windows\system32\cmd.exe
cmd.exe
4⤵
PID:4876

C:\Windows\system32\cmd.exe
cmd.exe
4⤵
PID:5092

C:\Windows\system32\cmd.exe
cmd.exe
4⤵
PID:1236

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "renservice" /f
3⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEJsROPL1SCi.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XEJsROPL1SCi.bat
Filesize
209B

MD5
09c5858ca4ebb542a545c715d7d37bac

SHA1
0dfaf1a63d5bfdc18fd88d0bfddd0fb888a37d28

SHA256
756315f75d0bf56a106fb9d13dfd85fd3e2ac9b87c3dae6aaaa59c591230c9b1

SHA512
d6ddec5cdb61761a9a5608c99a50933acbffa85bb84fe0bd1160012c551aacc5c55a4351c0cba3599cec2b9c1536fc4c6104b90dee4ca8c776df3fdb04cb46da

Download Submit
C:\Windows\System32\servicerenk\renservice.exe
Filesize
3.1MB

MD5
10c9f8a8e8c8c9797643d9b1edb01cc1

SHA1
defcd4e8bba01bb730572dff40fad78e053f337a

SHA256
0809e0c6095acabdcb816728c39fc818741c3197c4635d7a53a926f2f8df7557

SHA512
a3c1e18ed24bcc03385a6cb7e50bae9c475c93f0a9af88ac731e9c1923b314ea60e79bd4b9b420b31050ea2d67ac6746cb7d3b2edba7056e91fd665f12311849

Download Submit
C:\Windows\system32\servicerenk\renservice.exe
Filesize
3.1MB

MD5
10c9f8a8e8c8c9797643d9b1edb01cc1

SHA1
defcd4e8bba01bb730572dff40fad78e053f337a

SHA256
0809e0c6095acabdcb816728c39fc818741c3197c4635d7a53a926f2f8df7557

SHA512
a3c1e18ed24bcc03385a6cb7e50bae9c475c93f0a9af88ac731e9c1923b314ea60e79bd4b9b420b31050ea2d67ac6746cb7d3b2edba7056e91fd665f12311849

Download Submit
memory/4520-143-0x000000001C420000-0x000000001C4D2000-memory.dmp

Filesize
712KB

Download
memory/4520-141-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/4520-142-0x000000001C310000-0x000000001C360000-memory.dmp

Filesize
320KB

Download
memory/4520-146-0x000000001C360000-0x000000001C372000-memory.dmp

Filesize
72KB

Download
memory/4520-147-0x000000001C3C0000-0x000000001C3FC000-memory.dmp

Filesize
240KB

Download
memory/4520-148-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/4520-149-0x000000001CE20000-0x000000001CFC9000-memory.dmp

Filesize
1.7MB

Download
memory/4520-150-0x000000001CE20000-0x000000001CFC9000-memory.dmp

Filesize
1.7MB

Download
memory/4520-151-0x000000001CE20000-0x000000001CFC9000-memory.dmp

Filesize
1.7MB

Download
memory/4520-161-0x000000001CE20000-0x000000001CFC9000-memory.dmp

Filesize
1.7MB

Download
memory/4848-133-0x0000000000A80000-0x0000000000DA4000-memory.dmp

Filesize
3.1MB

Download
memory/4848-134-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads