quasar | 78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

General

Target

Free Robux.exe
Size

3.1MB
MD5

12dfc98e55d187e82fe2207383447e0b
SHA1

efb3fb106202b9a12f1894e703fcee27cb93e28c
SHA256

78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f
SHA512

410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9
SSDEEP

49152:DvBuf2NUaNmwzPWlvdaKM7ZxTwdlRJ64bR3LoGdQTHHB72eh2NT:Dvcf2NUaNmwzPWlvdaB7ZxTwdlRJ6S

Score

10^/10

quasar infected spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Infected

C2

192.168.1.1:4782

192.168.1.66:4782

dark-crystal.at.ply.gg:4782

Mutex

ff410ede-beff-4970-8e12-7d251057f1fd

Attributes

encryption_key
1B172706DED462B59F2A5056AB06A8DD1EE8491B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek Audio
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral2/memory/2320-133-0x0000000000AB0000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral2/files/0x000900000002322c-139.dat	family_quasar
behavioral2/files/0x000900000002322c-140.dat	family_quasar
behavioral2/files/0x000900000002322c-155.dat	family_quasar
behavioral2/files/0x000900000002322c-166.dat	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
3968	Client.exe
4784	Client.exe
4824	Client.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Free Robux.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Free Robux.exe
File opened for modification	C:\Windows\system32\SubDir	Free Robux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1688	schtasks.exe
636	schtasks.exe
2648	schtasks.exe
1732	schtasks.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5012	PING.EXE
4136	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	Free Robux.exe
Token: SeDebugPrivilege	3968	Client.exe
Token: SeDebugPrivilege	4784	Client.exe
Token: SeDebugPrivilege	4824	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3968	Client.exe
4784	Client.exe
4824	Client.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1688	2320	Free Robux.exe	82
PID 2320 wrote to memory of 1688	2320	Free Robux.exe	82
PID 2320 wrote to memory of 3968	2320	Free Robux.exe	83
PID 2320 wrote to memory of 3968	2320	Free Robux.exe	83
PID 3968 wrote to memory of 636	3968	Client.exe	87
PID 3968 wrote to memory of 636	3968	Client.exe	87
PID 3968 wrote to memory of 5096	3968	Client.exe	94
PID 3968 wrote to memory of 5096	3968	Client.exe	94
PID 5096 wrote to memory of 4144	5096	cmd.exe	96
PID 5096 wrote to memory of 4144	5096	cmd.exe	96
PID 5096 wrote to memory of 5012	5096	cmd.exe	97
PID 5096 wrote to memory of 5012	5096	cmd.exe	97
PID 5096 wrote to memory of 4784	5096	cmd.exe	98
PID 5096 wrote to memory of 4784	5096	cmd.exe	98
PID 4784 wrote to memory of 2648	4784	Client.exe	99
PID 4784 wrote to memory of 2648	4784	Client.exe	99
PID 4784 wrote to memory of 452	4784	Client.exe	101
PID 4784 wrote to memory of 452	4784	Client.exe	101
PID 452 wrote to memory of 2744	452	cmd.exe	103
PID 452 wrote to memory of 2744	452	cmd.exe	103
PID 452 wrote to memory of 4136	452	cmd.exe	104
PID 452 wrote to memory of 4136	452	cmd.exe	104
PID 452 wrote to memory of 4824	452	cmd.exe	105
PID 452 wrote to memory of 4824	452	cmd.exe	105
PID 4824 wrote to memory of 1732	4824	Client.exe	106
PID 4824 wrote to memory of 1732	4824	Client.exe	106

C:\Users\Admin\AppData\Local\Temp\Free Robux.exe
"C:\Users\Admin\AppData\Local\Temp\Free Robux.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1688
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0a0MPw8NLmbD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4144
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:5012
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\03jUAwc9KXUY.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2744
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4136
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\03jUAwc9KXUY.bat

Filesize
196B

MD5
f5bdad830c1fae738d75fb08d6fd4648

SHA1
57b41f41ec759ed21243bab3080ea50f63d5ae5d

SHA256
9120cf1d0e484e032074a8fc10ff0da004252661352fae682293e7eed51ab42f

SHA512
36e37fc253277222719f929d0b7cecead2347ff5587850bf4fe7e56fe7dd679c85e5a70bcf5dd111cbeb28444aa1e0d099fa456451f51ba8cbaac97736f472ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a0MPw8NLmbD.bat

Filesize
196B

MD5
92c63bf431b0634f6fc707a5ed9cc24f

SHA1
2216752aa8fc5bf5e794536f3b71b0e17ed95ba7

SHA256
4af28bf3193e14958e533dec28605f3ba9db5aee9f106a4e2b202bbf0b2b487b

SHA512
e39b8fff125e16d2c3a2445f1575565b75cd6de9307aeafdaa0489c5d871769820c44d5bb0859a1129638455cec1da831c1560ba9c99fb72f634b9ecf8200b20

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
C:\Windows\system32\SubDir\Client.exe

Filesize
3.1MB

MD5
12dfc98e55d187e82fe2207383447e0b

SHA1
efb3fb106202b9a12f1894e703fcee27cb93e28c

SHA256
78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

SHA512
410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

Download Submit
memory/2320-142-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/2320-133-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

Filesize
3.1MB

Download
memory/2320-134-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/2320-135-0x000000001BB90000-0x000000001BBA0000-memory.dmp

Filesize
64KB

Download
memory/3968-144-0x000000001B250000-0x000000001B260000-memory.dmp

Filesize
64KB

Download
memory/3968-145-0x0000000002790000-0x00000000027E0000-memory.dmp

Filesize
320KB

Download
memory/3968-154-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/3968-148-0x000000001B250000-0x000000001B260000-memory.dmp

Filesize
64KB

Download
memory/3968-143-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/3968-146-0x000000001D190000-0x000000001D242000-memory.dmp

Filesize
712KB

Download
memory/3968-147-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/4784-159-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/4784-160-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/4784-158-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/4784-165-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/4784-157-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/4824-167-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/4824-168-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/4824-169-0x00007FFC96840000-0x00007FFC97301000-memory.dmp

Filesize
10.8MB

Download
memory/4824-170-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads