quasar | 417099ab2a4161b7d39e0657ea0dcd5b15e90111bedf13f3442fbb2efd708f12

General

Target

CsGoCheats.exe
Size

3.3MB
MD5

d31c6a4a86b2c01d7c6f3bbf0f2773cb
SHA1

b8d2287930ff0ebfc7b857c993c1fc0102a925db
SHA256

417099ab2a4161b7d39e0657ea0dcd5b15e90111bedf13f3442fbb2efd708f12
SHA512

3481b0fc96e319e7ef431a3e161fe5e094c74e7fa31532d3fde5d581d1754796571bbc056f4ed504f5490ccde5fec333a7ed09a56be0f551369c9c1904b28962
SSDEEP

98304:lvg62XlaSFNWPjljiFXRoUYI/MQH+eVl:J4ZYIH+I

Score

10^/10

quasar cheats spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Cheats

C2

185.38.142.185:3138

Mutex

27629fb0-eb8d-4d40-971d-ac7640df2bb4

Attributes

encryption_key
87878A8B39F0E68E388682CADE478983AEB7449F
install_name
ModmenuCSGO.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RamAnoT
subdirectory
CSGO

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2812-54-0x0000000001250000-0x000000000159C000-memory.dmp	family_quasar
C:\Program Files\CSGO\ModmenuCSGO.exe	family_quasar
C:\Program Files\CSGO\ModmenuCSGO.exe	family_quasar
behavioral1/memory/2620-62-0x0000000000C80000-0x0000000000FCC000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

ModmenuCSGO.exe

pid process

2620 ModmenuCSGO.exe

pid	process
2620	ModmenuCSGO.exe

Drops file in Program Files directory 2 IoCs

Processes:

CsGoCheats.exe

description	ioc	process
File created	C:\Program Files\CSGO\ModmenuCSGO.exe	CsGoCheats.exe
File opened for modification	C:\Program Files\CSGO\ModmenuCSGO.exe	CsGoCheats.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1888 schtasks.exe
2132 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CsGoCheats.exeModmenuCSGO.exe

description pid process

Token: SeDebugPrivilege 2812 CsGoCheats.exe
Token: SeDebugPrivilege 2620 ModmenuCSGO.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ModmenuCSGO.exe

pid process

2620 ModmenuCSGO.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ModmenuCSGO.exe

pid process

2620 ModmenuCSGO.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ModmenuCSGO.exe

pid process

2620 ModmenuCSGO.exe

pid	process
1888	schtasks.exe
2132	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2812	CsGoCheats.exe
Token: SeDebugPrivilege	2620	ModmenuCSGO.exe

pid	process
2620	ModmenuCSGO.exe

pid	process
2620	ModmenuCSGO.exe

pid	process
2620	ModmenuCSGO.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

CsGoCheats.exeModmenuCSGO.exe

description	pid	process	target process
PID 2812 wrote to memory of 2132	2812	CsGoCheats.exe	schtasks.exe
PID 2812 wrote to memory of 2132	2812	CsGoCheats.exe	schtasks.exe
PID 2812 wrote to memory of 2132	2812	CsGoCheats.exe	schtasks.exe
PID 2812 wrote to memory of 2620	2812	CsGoCheats.exe	ModmenuCSGO.exe
PID 2812 wrote to memory of 2620	2812	CsGoCheats.exe	ModmenuCSGO.exe
PID 2812 wrote to memory of 2620	2812	CsGoCheats.exe	ModmenuCSGO.exe
PID 2620 wrote to memory of 1888	2620	ModmenuCSGO.exe	schtasks.exe
PID 2620 wrote to memory of 1888	2620	ModmenuCSGO.exe	schtasks.exe
PID 2620 wrote to memory of 1888	2620	ModmenuCSGO.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\CsGoCheats.exe
"C:\Users\Admin\AppData\Local\Temp\CsGoCheats.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RamAnoT" /sc ONLOGON /tr "C:\Program Files\CSGO\ModmenuCSGO.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2132

C:\Program Files\CSGO\ModmenuCSGO.exe
"C:\Program Files\CSGO\ModmenuCSGO.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RamAnoT" /sc ONLOGON /tr "C:\Program Files\CSGO\ModmenuCSGO.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CSGO\ModmenuCSGO.exe
Filesize
3.3MB

MD5
d31c6a4a86b2c01d7c6f3bbf0f2773cb

SHA1
b8d2287930ff0ebfc7b857c993c1fc0102a925db

SHA256
417099ab2a4161b7d39e0657ea0dcd5b15e90111bedf13f3442fbb2efd708f12

SHA512
3481b0fc96e319e7ef431a3e161fe5e094c74e7fa31532d3fde5d581d1754796571bbc056f4ed504f5490ccde5fec333a7ed09a56be0f551369c9c1904b28962

Download Submit
C:\Program Files\CSGO\ModmenuCSGO.exe
Filesize
3.3MB

MD5
d31c6a4a86b2c01d7c6f3bbf0f2773cb

SHA1
b8d2287930ff0ebfc7b857c993c1fc0102a925db

SHA256
417099ab2a4161b7d39e0657ea0dcd5b15e90111bedf13f3442fbb2efd708f12

SHA512
3481b0fc96e319e7ef431a3e161fe5e094c74e7fa31532d3fde5d581d1754796571bbc056f4ed504f5490ccde5fec333a7ed09a56be0f551369c9c1904b28962

Download Submit
memory/2620-62-0x0000000000C80000-0x0000000000FCC000-memory.dmp

Filesize
3.3MB

Download
memory/2620-63-0x000007FEF6150000-0x000007FEF6B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-64-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2620-65-0x000007FEF6150000-0x000007FEF6B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-66-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2812-54-0x0000000001250000-0x000000000159C000-memory.dmp

Filesize
3.3MB

Download
memory/2812-55-0x000007FEF6150000-0x000007FEF6B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-56-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2812-61-0x000007FEF6150000-0x000007FEF6B3C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads