quasar | 6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

General

Target

0x000600000001b030-21.exe
Size

3.1MB
MD5

e59e289b47fee7506e2cc216378f3955
SHA1

0dc7ab970aac7e9348928415ee5bdae424415489
SHA256

6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf
SHA512

0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef
SSDEEP

49152:Dv+I22SsaNYfdPBldt698dBcjHnMOBqsarFUoGdkATHHB72eh2NT:Dvz22SsaNYfdPBldt6+dBcjHMoqc0

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:4782

Mutex

c01ef685-50b2-41b1-af94-aee5bc04e6fd

Attributes

encryption_key
6550C5FD133683B3330870C778B7DB73E923F472
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-0-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\svchost.exe	family_quasar
C:\Windows\system32\SubDir\svchost.exe	family_quasar
behavioral1/memory/2440-8-0x0000000000810000-0x0000000000B34000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2440 svchost.exe

pid	process
2440	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

0x000600000001b030-21.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\svchost.exe	0x000600000001b030-21.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	0x000600000001b030-21.exe
File opened for modification	C:\Windows\system32\SubDir	0x000600000001b030-21.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system32\SubDir	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1860 schtasks.exe
1660 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0x000600000001b030-21.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1956 0x000600000001b030-21.exe
Token: SeDebugPrivilege 2440 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2440 svchost.exe

pid	process
1860	schtasks.exe
1660	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1956	0x000600000001b030-21.exe
Token: SeDebugPrivilege	2440	svchost.exe

pid	process
2440	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0x000600000001b030-21.exesvchost.exe

description	pid	process	target process
PID 1956 wrote to memory of 1860	1956	0x000600000001b030-21.exe	schtasks.exe
PID 1956 wrote to memory of 1860	1956	0x000600000001b030-21.exe	schtasks.exe
PID 1956 wrote to memory of 1860	1956	0x000600000001b030-21.exe	schtasks.exe
PID 1956 wrote to memory of 2440	1956	0x000600000001b030-21.exe	svchost.exe
PID 1956 wrote to memory of 2440	1956	0x000600000001b030-21.exe	svchost.exe
PID 1956 wrote to memory of 2440	1956	0x000600000001b030-21.exe	svchost.exe
PID 2440 wrote to memory of 1660	2440	svchost.exe	schtasks.exe
PID 2440 wrote to memory of 1660	2440	svchost.exe	schtasks.exe
PID 2440 wrote to memory of 1660	2440	svchost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0x000600000001b030-21.exe
"C:\Users\Admin\AppData\Local\Temp\0x000600000001b030-21.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\SubDir\svchost.exe
"C:\Windows\system32\SubDir\svchost.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\svchost.exe
Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
C:\Windows\system32\SubDir\svchost.exe
Filesize
3.1MB

MD5
e59e289b47fee7506e2cc216378f3955

SHA1
0dc7ab970aac7e9348928415ee5bdae424415489

SHA256
6299e3156cc953585df57ec5f47b8674bee9598c479cd6096871126e2d4632cf

SHA512
0c0c815d387ee0edf5a2ac1323377b4f93a2d76a5061bbaa04cf3f41e4bb053440561608da9ace7387c3433b0ae1888fdbe724fc0840b38733a3dba462cb1cef

Download Submit
memory/1956-0-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download
memory/1956-1-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1956-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/1956-11-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-8-0x0000000000810000-0x0000000000B34000-memory.dmp

Filesize
3.1MB

Download
memory/2440-9-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-10-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2440-12-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-13-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads