quasar | 78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

General

Target

Free Robux.exe
Size

3.1MB
MD5

12dfc98e55d187e82fe2207383447e0b
SHA1

efb3fb106202b9a12f1894e703fcee27cb93e28c
SHA256

78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f
SHA512

410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9
SSDEEP

49152:DvBuf2NUaNmwzPWlvdaKM7ZxTwdlRJ64bR3LoGdQTHHB72eh2NT:Dvcf2NUaNmwzPWlvdaB7ZxTwdlRJ6S

Score

10^/10

quasar infected spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Infected

C2

192.168.1.1:4782

192.168.1.66:4782

dark-crystal.at.ply.gg:4782

Mutex

ff410ede-beff-4970-8e12-7d251057f1fd

Attributes

encryption_key
1B172706DED462B59F2A5056AB06A8DD1EE8491B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek Audio
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2324-133-0x00000000006B0000-0x00000000009D4000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar
C:\Windows\system32\SubDir\Client.exe	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar

Executes dropped EXE 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

2964 Client.exe
4228 Client.exe
4316 Client.exe

pid	process
2964	Client.exe
4228	Client.exe
4316	Client.exe

Drops file in System32 directory 9 IoCs

Processes:

Client.exeClient.exeFree Robux.exeClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Free Robux.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Free Robux.exe
File opened for modification	C:\Windows\system32\SubDir	Free Robux.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4848 schtasks.exe
4740 schtasks.exe
4828 schtasks.exe
4376 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

5100 PING.EXE
1272 PING.EXE

pid	process
4848	schtasks.exe
4740	schtasks.exe
4828	schtasks.exe
4376	schtasks.exe

pid	process
5100	PING.EXE
1272	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Free Robux.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2324	Free Robux.exe
Token: SeDebugPrivilege	2964	Client.exe
Token: SeDebugPrivilege	4228	Client.exe
Token: SeDebugPrivilege	4316	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

2964 Client.exe
4228 Client.exe
4316 Client.exe

pid	process
2964	Client.exe
4228	Client.exe
4316	Client.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Free Robux.exeClient.execmd.exeClient.execmd.exeClient.exe

description	pid	process	target process
PID 2324 wrote to memory of 4740	2324	Free Robux.exe	schtasks.exe
PID 2324 wrote to memory of 4740	2324	Free Robux.exe	schtasks.exe
PID 2324 wrote to memory of 2964	2324	Free Robux.exe	Client.exe
PID 2324 wrote to memory of 2964	2324	Free Robux.exe	Client.exe
PID 2964 wrote to memory of 4828	2964	Client.exe	schtasks.exe
PID 2964 wrote to memory of 4828	2964	Client.exe	schtasks.exe
PID 2964 wrote to memory of 4332	2964	Client.exe	cmd.exe
PID 2964 wrote to memory of 4332	2964	Client.exe	cmd.exe
PID 4332 wrote to memory of 3676	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 3676	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 5100	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 5100	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 4228	4332	cmd.exe	Client.exe
PID 4332 wrote to memory of 4228	4332	cmd.exe	Client.exe
PID 4228 wrote to memory of 4376	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 4376	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 4580	4228	Client.exe	cmd.exe
PID 4228 wrote to memory of 4580	4228	Client.exe	cmd.exe
PID 4580 wrote to memory of 1604	4580	cmd.exe	chcp.com
PID 4580 wrote to memory of 1604	4580	cmd.exe	chcp.com
PID 4580 wrote to memory of 1272	4580	cmd.exe	PING.EXE
PID 4580 wrote to memory of 1272	4580	cmd.exe	PING.EXE
PID 4580 wrote to memory of 4316	4580	cmd.exe	Client.exe
PID 4580 wrote to memory of 4316	4580	cmd.exe	Client.exe
PID 4316 wrote to memory of 4848	4316	Client.exe	schtasks.exe
PID 4316 wrote to memory of 4848	4316	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Free Robux.exe
"C:\Users\Admin\AppData\Local\Temp\Free Robux.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rNYbfVrDZ6kA.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3676

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:5100

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\opA4Far4qQNE.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1604

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1272

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\opA4Far4qQNE.bat
Filesize
196B

MD5
130895a97efc5d7b8a4e262c5472b16f

SHA1
964cfe751ec0f41d0a29f48aa418aa5aa078b545

SHA256
5bdc8359458609fcbb57e82350da0389829f551904b79620ad3d7bf38075f166

SHA512
49dccf543031d80cb3ba31dd46c356702432a6a75887909d5bd136977cf9a4762effc706e3362e8b0ee7aead0bf696583d2d7071b7c6766dd06c753a450768f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rNYbfVrDZ6kA.bat
Filesize
196B

MD5
959cd3034e97658297c38264b56d6962

SHA1
33927bd793b6c64b69c8949617458a733ff9f19e

SHA256
db13a5418415e9a0de987e5ab1a70f8fcdaa776a005c76fc29232646d47128db

SHA512
eabfb565dffdac6b0c15d3d4fa6199899fedf73717a986e61216a4eda786d8a93f0cdaadcd5e3b4e77917e292e968545fa4ee1b7b297c5900a5fb6de159f709f

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
C:\Windows\System32\SubDir\Client.exe
Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
C:\Windows\system32\SubDir\Client.exe
Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
memory/2324-133-0x00000000006B0000-0x00000000009D4000-memory.dmp

Filesize
3.1MB

Download
memory/2324-134-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/2324-135-0x000000001B590000-0x000000001B5A0000-memory.dmp

Filesize
64KB

Download
memory/2324-142-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/2964-153-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/2964-144-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/2964-147-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/2964-146-0x000000001C790000-0x000000001C842000-memory.dmp

Filesize
712KB

Download
memory/2964-145-0x000000001C680000-0x000000001C6D0000-memory.dmp

Filesize
320KB

Download
memory/2964-143-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/2964-148-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/4228-159-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/4228-160-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4228-164-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/4228-158-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4228-157-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/4316-167-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/4316-168-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download
memory/4316-169-0x00007FFA0D950000-0x00007FFA0E411000-memory.dmp

Filesize
10.8MB

Download
memory/4316-170-0x0000000001A70000-0x0000000001A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads