quasar | e7032103393d503c5642a10be96d39faaa93af05d0feaf77b8e011ebfa70022c

Analysis

max time kernel
30s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uplay_R6_Cap/Checker.exe
Size

3.1MB
MD5

547647b2a11212e16758e86e596c4e38
SHA1

22562c0a77948e12fb7a9d55b4bbf9a7653cb0bb
SHA256

aa842236e758058ef3ad704681ed6e8c391caf1fa5b64f47af05bb35e04377ca
SHA512

b3794971c334c2c456816dece4c8d871d6da16a23de6c52f0877b41b49a3526070377c8e55c7b93f98387087f7a743d5c89de99233ca37ce717d748d1f7a1287
SSDEEP

49152:hqynoUPX6KAiY5/UmaFJYYKoONHm5LOx1ndwlpN+w5nIdNawgmy6ISXstG5Auh0r:svKAiY9aFJPkyLOxdmljInpgXyXGGul

Score

10^/10

quasar shanx spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ShanX

pubgm.ddns.net:3463

Mutex

fe19d956-967f-4776-a516-d40c85ea9e9a

Attributes

encryption_key
C00A9243E77E6BA0615E28214F4657063CECD5D6
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4476-138-0x00000000009A0000-0x0000000000CC4000-memory.dmp	family_quasar

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Checker.exe

description pid process target process

PID 1512 set thread context of 4476 1512 Checker.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4376 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 4476 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4476 vbc.exe

description	pid	process	target process
PID 1512 set thread context of 4476	1512	Checker.exe	vbc.exe

pid	process
4376	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4476	vbc.exe

pid	process
4476	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Checker.execmd.exe

description	pid	process	target process
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 4476	1512	Checker.exe	vbc.exe
PID 1512 wrote to memory of 1860	1512	Checker.exe	cmd.exe
PID 1512 wrote to memory of 1860	1512	Checker.exe	cmd.exe
PID 1512 wrote to memory of 1860	1512	Checker.exe	cmd.exe
PID 1512 wrote to memory of 4796	1512	Checker.exe	cmd.exe
PID 1512 wrote to memory of 4796	1512	Checker.exe	cmd.exe
PID 1512 wrote to memory of 4796	1512	Checker.exe	cmd.exe
PID 4796 wrote to memory of 4376	4796	cmd.exe	schtasks.exe
PID 4796 wrote to memory of 4376	4796	cmd.exe	schtasks.exe
PID 4796 wrote to memory of 4376	4796	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 632	1512	Checker.exe	cmd.exe
PID 1512 wrote to memory of 632	1512	Checker.exe	cmd.exe
PID 1512 wrote to memory of 632	1512	Checker.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Uplay_R6_Cap\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Uplay_R6_Cap\Checker.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\adobe"
2⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\adobe\adobe.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\adobe\adobe.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4376

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Uplay_R6_Cap\Checker.exe" "C:\Users\Admin\AppData\Local\Temp\adobe\adobe.exe"
2⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-133-0x0000000000B00000-0x0000000000E28000-memory.dmp

Filesize
3.2MB

Download
memory/1512-134-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/1512-135-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/1512-137-0x0000000007710000-0x00000000077A2000-memory.dmp

Filesize
584KB

Download
memory/4476-138-0x00000000009A0000-0x0000000000CC4000-memory.dmp

Filesize
3.1MB

Download
memory/4476-139-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/4476-140-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4476-141-0x0000000006470000-0x0000000006A88000-memory.dmp

Filesize
6.1MB

Download
memory/4476-142-0x0000000005FA0000-0x0000000005FF0000-memory.dmp

Filesize
320KB

Download
memory/4476-143-0x0000000006210000-0x00000000062C2000-memory.dmp

Filesize
712KB

Download
memory/4476-147-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download