quasar | 4b42246e573c243f6d1cd35c21ef7d96f2ff9843904191557ed1ae52d531b6d5

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2023, 14:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

475KB
MD5

b0b642d21e471002fe600e813ee8a5e4
SHA1

8d4dabde7bb206cd8c84dce88e65053de885da23
SHA256

4b42246e573c243f6d1cd35c21ef7d96f2ff9843904191557ed1ae52d531b6d5
SHA512

5f2dd93eae3bbf47092a76a7150606dc0bc4f1d836f1d82d6f170f4b1c21fc1d173a2ebfe2ae5057e9f0335bebec4988de8847782d8c14da47a06092ab5c4ac1
SSDEEP

12288:Ypi+uXadVjCQ0AybTTEZyI1yzL2FHO/mGXw2:YpDuXa/jCQYTTKy3LMuew

Score

10^/10

quasar edrawmax persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EdrawMax

forex.4cloud.click:1981

Mutex

wsbTZmpkXyxm8xAsQP

Attributes

encryption_key
iBgx6lbqLn18oNE3C8cN
install_name
Client.exe
log_directory
16k
reconnect_delay
10000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3548-135-0x0000000000D30000-0x0000000000D8E000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	file.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 368 set thread context of 3548	368	file.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1976	368	WerFault.exe	83

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	csc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
368	file.exe
3548	csc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 3548	368	file.exe	84
PID 368 wrote to memory of 3548	368	file.exe	84
PID 368 wrote to memory of 3548	368	file.exe	84
PID 368 wrote to memory of 3548	368	file.exe	84
PID 368 wrote to memory of 3548	368	file.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  -arguments
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 660
  2⤵
  - Program crash
  PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 368 -ip 368
1⤵
PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3548-135-0x0000000000D30000-0x0000000000D8E000-memory.dmp

Filesize
376KB

Download
memory/3548-140-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/3548-141-0x00000000059E0000-0x0000000005A72000-memory.dmp

Filesize
584KB

Download
memory/3548-142-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/3548-143-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/3548-144-0x0000000006CA0000-0x0000000006CB2000-memory.dmp

Filesize
72KB

Download
memory/3548-145-0x00000000072E0000-0x000000000731C000-memory.dmp

Filesize
240KB

Download
memory/3548-147-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/3548-148-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download