quasar | e0b8bdf7e79e5c4e2f9282b430bd4779f27609cef1996e2c633bfacb4ef16463

General

Target

Client-built.exe
Size

3.1MB
MD5

97ca31cf187986d32927e44a55b9492f
SHA1

a88a775bff0eb5fb33883eb1ecfbf41ed18a248e
SHA256

e0b8bdf7e79e5c4e2f9282b430bd4779f27609cef1996e2c633bfacb4ef16463
SHA512

850ca8e9ffda13dc1e1c8a8c0fe96310da974051342717de2358b7917e3939a8eadf1170d4d6d16f02afe815d41fda2061652c5a69e84e32962c2acc53f917c5
SSDEEP

49152:Evfgo2QSaNpzyPllgamb0CZof/JOkJrAMfNLoGdnTHHB72eh2NT:EvIo2QSaNpzyPllgamYCZof/JOkJrJ

Score

10^/10

quasar infected spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Infected

C2

192.168.1.1:4782

192.168.1.66:4782

dark-crystal.at.ply.gg:4782

AmirAmir8565-21667.portmap.host:4782

AmirAmir8565-20409.portmap.host:20409

Mutex

ff410ede-beff-4970-8e12-7d251057f1fd

Attributes

encryption_key
1B172706DED462B59F2A5056AB06A8DD1EE8491B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek Audio
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4488-133-0x0000000000510000-0x0000000000834000-memory.dmp	family_quasar
C:\Windows\system32\SubDir\Client.exe	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar
C:\Windows\System32\SubDir\Client.exe	family_quasar

Executes dropped EXE 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

4148 Client.exe
4988 Client.exe
2844 Client.exe

pid	process
4148	Client.exe
4988	Client.exe
2844	Client.exe

Drops file in System32 directory 9 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1464 schtasks.exe
2932 schtasks.exe
4088 schtasks.exe
1744 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1812 PING.EXE
3916 PING.EXE

pid	process
1464	schtasks.exe
2932	schtasks.exe
4088	schtasks.exe
1744	schtasks.exe

pid	process
1812	PING.EXE
3916	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4488	Client-built.exe
Token: SeDebugPrivilege	4148	Client.exe
Token: SeDebugPrivilege	4988	Client.exe
Token: SeDebugPrivilege	2844	Client.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

4148 Client.exe
4988 Client.exe
2844 Client.exe

pid	process
4148	Client.exe
4988	Client.exe
2844	Client.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Client-built.exeClient.execmd.exeClient.execmd.exeClient.exe

description	pid	process	target process
PID 4488 wrote to memory of 1464	4488	Client-built.exe	schtasks.exe
PID 4488 wrote to memory of 1464	4488	Client-built.exe	schtasks.exe
PID 4488 wrote to memory of 4148	4488	Client-built.exe	Client.exe
PID 4488 wrote to memory of 4148	4488	Client-built.exe	Client.exe
PID 4148 wrote to memory of 2932	4148	Client.exe	schtasks.exe
PID 4148 wrote to memory of 2932	4148	Client.exe	schtasks.exe
PID 4148 wrote to memory of 1796	4148	Client.exe	cmd.exe
PID 4148 wrote to memory of 1796	4148	Client.exe	cmd.exe
PID 1796 wrote to memory of 3028	1796	cmd.exe	chcp.com
PID 1796 wrote to memory of 3028	1796	cmd.exe	chcp.com
PID 1796 wrote to memory of 3916	1796	cmd.exe	PING.EXE
PID 1796 wrote to memory of 3916	1796	cmd.exe	PING.EXE
PID 1796 wrote to memory of 4988	1796	cmd.exe	Client.exe
PID 1796 wrote to memory of 4988	1796	cmd.exe	Client.exe
PID 4988 wrote to memory of 4088	4988	Client.exe	schtasks.exe
PID 4988 wrote to memory of 4088	4988	Client.exe	schtasks.exe
PID 4988 wrote to memory of 3576	4988	Client.exe	cmd.exe
PID 4988 wrote to memory of 3576	4988	Client.exe	cmd.exe
PID 3576 wrote to memory of 1352	3576	cmd.exe	chcp.com
PID 3576 wrote to memory of 1352	3576	cmd.exe	chcp.com
PID 3576 wrote to memory of 1812	3576	cmd.exe	PING.EXE
PID 3576 wrote to memory of 1812	3576	cmd.exe	PING.EXE
PID 3576 wrote to memory of 2844	3576	cmd.exe	Client.exe
PID 3576 wrote to memory of 2844	3576	cmd.exe	Client.exe
PID 2844 wrote to memory of 1744	2844	Client.exe	schtasks.exe
PID 2844 wrote to memory of 1744	2844	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1464
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4AVRUBwt52uS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3028
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:3916
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:4088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rg1OGvIX7lBQ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1352
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1812
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4AVRUBwt52uS.bat

Filesize
196B

MD5
690767ea9331da5ac183d8211d46f100

SHA1
f194217139578d42468f1e730b4d60c28ada97f1

SHA256
99bf61558b0a6fa7a858300af2e6c35ef2db06c90aacbfd3c71d1d291897bd3b

SHA512
afae1374860afb43529a6f7e5559e3526a8778bba02ca90e849223366aba360bd261f99fc528f83b993bef4b5eda0febd8c94bca517c2c4c5a84203abd00bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rg1OGvIX7lBQ.bat

Filesize
196B

MD5
4094ef87857378d6ea6d9353333d07ce

SHA1
c509e88a7f272d41b4d60de6fb0fe4ceb8b1b646

SHA256
0d3a6394f49d7048b3492511ac2f93c53e824ee909f84c336f2b50e5d860f94b

SHA512
854cee13d8a851b198fec51d5489abaaacb9247a17f3ffc00d659b45342391b079d3bd6d9595e6e5216b01227c5752a782263155a2c2691aa6328133dd46e736

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
97ca31cf187986d32927e44a55b9492f

SHA1
a88a775bff0eb5fb33883eb1ecfbf41ed18a248e

SHA256
e0b8bdf7e79e5c4e2f9282b430bd4779f27609cef1996e2c633bfacb4ef16463

SHA512
850ca8e9ffda13dc1e1c8a8c0fe96310da974051342717de2358b7917e3939a8eadf1170d4d6d16f02afe815d41fda2061652c5a69e84e32962c2acc53f917c5

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
97ca31cf187986d32927e44a55b9492f

SHA1
a88a775bff0eb5fb33883eb1ecfbf41ed18a248e

SHA256
e0b8bdf7e79e5c4e2f9282b430bd4779f27609cef1996e2c633bfacb4ef16463

SHA512
850ca8e9ffda13dc1e1c8a8c0fe96310da974051342717de2358b7917e3939a8eadf1170d4d6d16f02afe815d41fda2061652c5a69e84e32962c2acc53f917c5

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
97ca31cf187986d32927e44a55b9492f

SHA1
a88a775bff0eb5fb33883eb1ecfbf41ed18a248e

SHA256
e0b8bdf7e79e5c4e2f9282b430bd4779f27609cef1996e2c633bfacb4ef16463

SHA512
850ca8e9ffda13dc1e1c8a8c0fe96310da974051342717de2358b7917e3939a8eadf1170d4d6d16f02afe815d41fda2061652c5a69e84e32962c2acc53f917c5

Download Submit
C:\Windows\system32\SubDir\Client.exe

Filesize
3.1MB

MD5
97ca31cf187986d32927e44a55b9492f

SHA1
a88a775bff0eb5fb33883eb1ecfbf41ed18a248e

SHA256
e0b8bdf7e79e5c4e2f9282b430bd4779f27609cef1996e2c633bfacb4ef16463

SHA512
850ca8e9ffda13dc1e1c8a8c0fe96310da974051342717de2358b7917e3939a8eadf1170d4d6d16f02afe815d41fda2061652c5a69e84e32962c2acc53f917c5

Download Submit
memory/2844-170-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/2844-169-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/2844-168-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/2844-167-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4148-153-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4148-148-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

Filesize
64KB

Download
memory/4148-147-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4148-146-0x000000001BD30000-0x000000001BDE2000-memory.dmp

Filesize
712KB

Download
memory/4148-142-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4148-145-0x000000001BC20000-0x000000001BC70000-memory.dmp

Filesize
320KB

Download
memory/4148-144-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

Filesize
64KB

Download
memory/4488-143-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4488-134-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4488-135-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

Filesize
64KB

Download
memory/4488-133-0x0000000000510000-0x0000000000834000-memory.dmp

Filesize
3.1MB

Download
memory/4988-159-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4988-165-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download
memory/4988-160-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/4988-158-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/4988-157-0x00007FF8FFEB0000-0x00007FF900971000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads