quasar | 75314603ad6007bb6f475f35e4b45871bdefb815f0f8128c3fe279a10bd19e3f

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Sevkiyat-Bilgisi..exe
Size

1.4MB
MD5

35978426c438be50ff71a09d303054e3
SHA1

99a8f137febd7a34cdcd6f3f867a02666cdb35be
SHA256

866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19
SHA512

5f1b82c685f8744c38d01e85c4f7a865cd54686c062e4de83f80bac46b3e0007ee571d5ee564a22aec60ea81c9e21b50f554f7e046e7a126d93214ad54b1097b
SSDEEP

24576:CNA3R5drXP/2ai/O+Bo2DxkmgP6L7Z8D5b2bM5MccqBhn1urp+Cq:b53V1kioL7ZccM5M214od

Score

10^/10

quasar kbop spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

KBop

kolptyubeatcam.sytes.net:64594

fronpeatcam.publicvm.com:64595

fronadeatcam.publicvm.com:64595

fronadeatcam.sytes.net:64595

Mutex

QSR_MUTEX_z6cdb40DnEoyUzOwXW

Attributes

encryption_key
jem6XrSkWxQgjosAOUlN
install_name
jres.exe
log_directory
Logs
reconnect_delay
3000
startup_key
jdm
subdirectory
oilk

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2744-94-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
1744	eisdvbhg.sfx.exe
2784	eisdvbhg.exe
2744	eisdvbhg.exe

Loads dropped DLL 6 IoCs

pid	Process
2112	cmd.exe
1744	eisdvbhg.sfx.exe
1744	eisdvbhg.sfx.exe
1744	eisdvbhg.sfx.exe
1744	eisdvbhg.sfx.exe
2784	eisdvbhg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2744	2784	eisdvbhg.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	eisdvbhg.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2112	2372	Sevkiyat-Bilgisi..exe	28
PID 2372 wrote to memory of 2112	2372	Sevkiyat-Bilgisi..exe	28
PID 2372 wrote to memory of 2112	2372	Sevkiyat-Bilgisi..exe	28
PID 2372 wrote to memory of 2112	2372	Sevkiyat-Bilgisi..exe	28
PID 2112 wrote to memory of 1744	2112	cmd.exe	30
PID 2112 wrote to memory of 1744	2112	cmd.exe	30
PID 2112 wrote to memory of 1744	2112	cmd.exe	30
PID 2112 wrote to memory of 1744	2112	cmd.exe	30
PID 1744 wrote to memory of 2784	1744	eisdvbhg.sfx.exe	31
PID 1744 wrote to memory of 2784	1744	eisdvbhg.sfx.exe	31
PID 1744 wrote to memory of 2784	1744	eisdvbhg.sfx.exe	31
PID 1744 wrote to memory of 2784	1744	eisdvbhg.sfx.exe	31
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32
PID 2784 wrote to memory of 2744	2784	eisdvbhg.exe	32

C:\Users\Admin\AppData\Local\Temp\Sevkiyat-Bilgisi..exe
"C:\Users\Admin\AppData\Local\Temp\Sevkiyat-Bilgisi..exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\twikfhn.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\eisdvbhg.sfx.exe
    eisdvbhg.sfx.exe -prhndloaxzbcgscvmhjfjgBbsdirhndmkaloybdtyuiolfadfdyehngfszafugyRhvertFvbdkoS -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe
      "C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe
        
        C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe
        5⤵
        Executes dropped EXE
        
        PID:2744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.sfx.exe

Filesize
1.1MB

MD5
9ede8b3bae317b0dcdd022b9bf2e44ef

SHA1
b43f2dd1446bc9e0e6237d65f4007506ff7393cf

SHA256
9015f6d5d073c60607d3ca4db876da2cc320d15eb922f38170e616c4e0de6fe9

SHA512
8b24fd190d6d53c61ebd6a9d868b8bbf521604b79dccb8d3bae0297d04794abd828f57cebd01b444a2d566d4c61704f819f0ec69d219f0db7d57331d45b42d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.sfx.exe

Filesize
1.1MB

MD5
9ede8b3bae317b0dcdd022b9bf2e44ef

SHA1
b43f2dd1446bc9e0e6237d65f4007506ff7393cf

SHA256
9015f6d5d073c60607d3ca4db876da2cc320d15eb922f38170e616c4e0de6fe9

SHA512
8b24fd190d6d53c61ebd6a9d868b8bbf521604b79dccb8d3bae0297d04794abd828f57cebd01b444a2d566d4c61704f819f0ec69d219f0db7d57331d45b42d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\twikfhn.bat

Filesize
18KB

MD5
10ab99c0ccba81a7ed54d0d1dfe7c27d

SHA1
b95309a259f822aca0421106ab0b8c8de6815f6c

SHA256
dfa6316ed91baf1d849b5eb9875ccde9b9e573c02294d6ce87023c7c108d8723

SHA512
6a218d199e49f4505d10c2e048941836bd4d15a318174c5ca31b675556de77a4403b73e9b649a8c783d4c74115207ff8335e92379f677ef987ff0ed464626782

Download Submit
C:\Users\Admin\AppData\Local\Temp\twikfhn.bat

Filesize
18KB

MD5
10ab99c0ccba81a7ed54d0d1dfe7c27d

SHA1
b95309a259f822aca0421106ab0b8c8de6815f6c

SHA256
dfa6316ed91baf1d849b5eb9875ccde9b9e573c02294d6ce87023c7c108d8723

SHA512
6a218d199e49f4505d10c2e048941836bd4d15a318174c5ca31b675556de77a4403b73e9b649a8c783d4c74115207ff8335e92379f677ef987ff0ed464626782

Download Submit
\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
\Users\Admin\AppData\Local\Temp\eisdvbhg.sfx.exe

Filesize
1.1MB

MD5
9ede8b3bae317b0dcdd022b9bf2e44ef

SHA1
b43f2dd1446bc9e0e6237d65f4007506ff7393cf

SHA256
9015f6d5d073c60607d3ca4db876da2cc320d15eb922f38170e616c4e0de6fe9

SHA512
8b24fd190d6d53c61ebd6a9d868b8bbf521604b79dccb8d3bae0297d04794abd828f57cebd01b444a2d566d4c61704f819f0ec69d219f0db7d57331d45b42d06

Download Submit
memory/2744-94-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2784-92-0x0000000004360000-0x000000000444E000-memory.dmp

Filesize
952KB

Download
memory/2784-91-0x0000000000340000-0x0000000000404000-memory.dmp

Filesize
784KB

Download