quasar | c1ed20f252eaa28ae2e5fc1bc08c60d9f6beccecf5ad1cb2e8278271c7acda59

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2023, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000b0000000122e5-60.exe
Size

3.1MB
MD5

8164a3361f7bb473d898b796ec12d468
SHA1

71d2afe83bedb25eec78188ddc1385361c3d632f
SHA256

c1ed20f252eaa28ae2e5fc1bc08c60d9f6beccecf5ad1cb2e8278271c7acda59
SHA512

e50bec34cc54dcf4fad041277b53f33c1cad64ea4f9352bd2bc144a4b41514b1c33e32245b3385f15fe14019c11c741f167e884de519ea4b2cb6a78dd598421c
SSDEEP

49152:avct62XlaSFNWPjljiFa2RoUYI2YRJ60bR3LoGdWTHHB72eh2NT:avg62XlaSFNWPjljiFXRoUYI2YRJ6+

Score

10^/10

quasar ninjagram spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ninjagram

nethttp.sytes.net:4782

Mutex

f04d3337-2e5e-4a42-bb35-8f2a600f118f

Attributes

encryption_key
D3749570795A041A5B9B7F71D15CD539096DC336
install_name
boot.exe
log_directory
security
reconnect_delay
1000
startup_key
services
subdirectory
winrn

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/memory/3032-133-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral2/files/0x0003000000000733-138.dat	family_quasar
behavioral2/files/0x0003000000000733-140.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1376	boot.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4768	schtasks.exe
3876	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	0x000b0000000122e5-60.exe
Token: SeDebugPrivilege	1376	boot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1376	boot.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4768	3032	0x000b0000000122e5-60.exe	86
PID 3032 wrote to memory of 4768	3032	0x000b0000000122e5-60.exe	86
PID 3032 wrote to memory of 1376	3032	0x000b0000000122e5-60.exe	87
PID 3032 wrote to memory of 1376	3032	0x000b0000000122e5-60.exe	87
PID 1376 wrote to memory of 3876	1376	boot.exe	88
PID 1376 wrote to memory of 3876	1376	boot.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0x000b0000000122e5-60.exe
"C:\Users\Admin\AppData\Local\Temp\0x000b0000000122e5-60.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "services" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\winrn\boot.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4768
- C:\Users\Admin\AppData\Roaming\winrn\boot.exe
  "C:\Users\Admin\AppData\Roaming\winrn\boot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "services" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\winrn\boot.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winrn\boot.exe

Filesize
3.1MB

MD5
8164a3361f7bb473d898b796ec12d468

SHA1
71d2afe83bedb25eec78188ddc1385361c3d632f

SHA256
c1ed20f252eaa28ae2e5fc1bc08c60d9f6beccecf5ad1cb2e8278271c7acda59

SHA512
e50bec34cc54dcf4fad041277b53f33c1cad64ea4f9352bd2bc144a4b41514b1c33e32245b3385f15fe14019c11c741f167e884de519ea4b2cb6a78dd598421c

Download Submit
C:\Users\Admin\AppData\Roaming\winrn\boot.exe

Filesize
3.1MB

MD5
8164a3361f7bb473d898b796ec12d468

SHA1
71d2afe83bedb25eec78188ddc1385361c3d632f

SHA256
c1ed20f252eaa28ae2e5fc1bc08c60d9f6beccecf5ad1cb2e8278271c7acda59

SHA512
e50bec34cc54dcf4fad041277b53f33c1cad64ea4f9352bd2bc144a4b41514b1c33e32245b3385f15fe14019c11c741f167e884de519ea4b2cb6a78dd598421c

Download Submit
memory/1376-141-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/1376-142-0x000000001C190000-0x000000001C1E0000-memory.dmp

Filesize
320KB

Download
memory/1376-143-0x000000001C2A0000-0x000000001C352000-memory.dmp

Filesize
712KB

Download
memory/1376-144-0x000000001C200000-0x000000001C212000-memory.dmp

Filesize
72KB

Download
memory/1376-145-0x000000001C260000-0x000000001C29C000-memory.dmp

Filesize
240KB

Download
memory/1376-146-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/3032-133-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/3032-134-0x000000001B250000-0x000000001B260000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads