quasar | 75314603ad6007bb6f475f35e4b45871bdefb815f0f8128c3fe279a10bd19e3f

General

Target

Sevkiyat-Bilgisi..exe
Size

1.4MB
MD5

35978426c438be50ff71a09d303054e3
SHA1

99a8f137febd7a34cdcd6f3f867a02666cdb35be
SHA256

866b5bcc067af55b26fae2013af4310fb27381a585e720a1dd39c722f1a18c19
SHA512

5f1b82c685f8744c38d01e85c4f7a865cd54686c062e4de83f80bac46b3e0007ee571d5ee564a22aec60ea81c9e21b50f554f7e046e7a126d93214ad54b1097b
SSDEEP

24576:CNA3R5drXP/2ai/O+Bo2DxkmgP6L7Z8D5b2bM5MccqBhn1urp+Cq:b53V1kioL7ZccM5M214od

Score

10^/10

quasar kbop spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

KBop

C2

kolptyubeatcam.sytes.net:64594

fronpeatcam.publicvm.com:64595

fronadeatcam.publicvm.com:64595

fronadeatcam.sytes.net:64595

Mutex

QSR_MUTEX_z6cdb40DnEoyUzOwXW

Attributes

encryption_key
jem6XrSkWxQgjosAOUlN
install_name
jres.exe
log_directory
Logs
reconnect_delay
3000
startup_key
jdm
subdirectory
oilk

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2388-158-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	Sevkiyat-Bilgisi..exe
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	eisdvbhg.sfx.exe

Executes dropped EXE 3 IoCs

pid	Process
100	eisdvbhg.sfx.exe
2088	eisdvbhg.exe
2388	eisdvbhg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2388	2088	eisdvbhg.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1464	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	eisdvbhg.exe
Token: SeDebugPrivilege	2388	eisdvbhg.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3096	2664	Sevkiyat-Bilgisi..exe	86
PID 2664 wrote to memory of 3096	2664	Sevkiyat-Bilgisi..exe	86
PID 2664 wrote to memory of 3096	2664	Sevkiyat-Bilgisi..exe	86
PID 3096 wrote to memory of 100	3096	cmd.exe	89
PID 3096 wrote to memory of 100	3096	cmd.exe	89
PID 3096 wrote to memory of 100	3096	cmd.exe	89
PID 100 wrote to memory of 2088	100	eisdvbhg.sfx.exe	90
PID 100 wrote to memory of 2088	100	eisdvbhg.sfx.exe	90
PID 100 wrote to memory of 2088	100	eisdvbhg.sfx.exe	90
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2088 wrote to memory of 2388	2088	eisdvbhg.exe	93
PID 2388 wrote to memory of 1464	2388	eisdvbhg.exe	96
PID 2388 wrote to memory of 1464	2388	eisdvbhg.exe	96
PID 2388 wrote to memory of 1464	2388	eisdvbhg.exe	96

C:\Users\Admin\AppData\Local\Temp\Sevkiyat-Bilgisi..exe
"C:\Users\Admin\AppData\Local\Temp\Sevkiyat-Bilgisi..exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twikfhn.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\eisdvbhg.sfx.exe
    eisdvbhg.sfx.exe -prhndloaxzbcgscvmhjfjgBbsdirhndmkaloybdtyuiolfadfdyehngfszafugyRhvertFvbdkoS -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe
      "C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe
        
        C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "jdm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.exe

Filesize
755KB

MD5
a1aada29638b3f8f499e6998b56c6d35

SHA1
e58093de317aab07ee516a3628eb118828bc81e8

SHA256
639e7498c22d26aa282595a56f8098634f09675844ca8c95f3a4f907ecb604aa

SHA512
356d6d9f6b9e7eaf714fb931bb80371980fe6283226c3ada27c5f9279580b13397ce0cf3c1b6dece054f13eb063bcf4475dc2bae3caf44721f75961be84b6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.sfx.exe

Filesize
1.1MB

MD5
9ede8b3bae317b0dcdd022b9bf2e44ef

SHA1
b43f2dd1446bc9e0e6237d65f4007506ff7393cf

SHA256
9015f6d5d073c60607d3ca4db876da2cc320d15eb922f38170e616c4e0de6fe9

SHA512
8b24fd190d6d53c61ebd6a9d868b8bbf521604b79dccb8d3bae0297d04794abd828f57cebd01b444a2d566d4c61704f819f0ec69d219f0db7d57331d45b42d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\eisdvbhg.sfx.exe

Filesize
1.1MB

MD5
9ede8b3bae317b0dcdd022b9bf2e44ef

SHA1
b43f2dd1446bc9e0e6237d65f4007506ff7393cf

SHA256
9015f6d5d073c60607d3ca4db876da2cc320d15eb922f38170e616c4e0de6fe9

SHA512
8b24fd190d6d53c61ebd6a9d868b8bbf521604b79dccb8d3bae0297d04794abd828f57cebd01b444a2d566d4c61704f819f0ec69d219f0db7d57331d45b42d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\twikfhn.bat

Filesize
18KB

MD5
10ab99c0ccba81a7ed54d0d1dfe7c27d

SHA1
b95309a259f822aca0421106ab0b8c8de6815f6c

SHA256
dfa6316ed91baf1d849b5eb9875ccde9b9e573c02294d6ce87023c7c108d8723

SHA512
6a218d199e49f4505d10c2e048941836bd4d15a318174c5ca31b675556de77a4403b73e9b649a8c783d4c74115207ff8335e92379f677ef987ff0ed464626782

Download Submit
memory/2088-157-0x0000000004FA0000-0x000000000503C000-memory.dmp

Filesize
624KB

Download
memory/2088-156-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2088-155-0x0000000000470000-0x0000000000534000-memory.dmp

Filesize
784KB

Download
memory/2388-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2388-161-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/2388-162-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/2388-163-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2388-164-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/2388-165-0x0000000006770000-0x0000000006782000-memory.dmp

Filesize
72KB

Download
memory/2388-166-0x0000000006CE0000-0x0000000006D1C000-memory.dmp

Filesize
240KB

Download
memory/2388-167-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2388-168-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads