quasar | 6f4dd3d2ea6b1310b9c9e2063aba85396ea82e63f777a5dd5b42dac67c0ae630

General

Target

Client-built.exe
Size

3.1MB
MD5

488550eeb4ae87c8f9510e04e222261d
SHA1

18c1785375af65ec82a161d13354656282412803
SHA256

6f4dd3d2ea6b1310b9c9e2063aba85396ea82e63f777a5dd5b42dac67c0ae630
SHA512

4ea8274a28e8ee68633b5ebd07e68916d80d9d807ee62c3700f9cfb5bd990ba6c88b8ac7bdac893964139ea9a949a2ee092334d45b48fbe590c1345ada594514
SSDEEP

49152:fvSI22SsaNYfdPBldt698dBcjHslRJ6sbR3LoGd5/THHB72eh2NT:fv/22SsaNYfdPBldt6+dBcjHslRJ62

Score

10^/10

quasar god spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

God

C2

88.209.197.253:4782

Mutex

5b9901b6-5e69-4eaa-a9f2-55ce43b72785

Attributes

encryption_key
CEAEA9FD2F3E18352164BB4D9A6F56EFF5E2D896
install_name
COM Surrogate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/memory/4268-0-0x0000000000570000-0x0000000000894000-memory.dmp	family_quasar
behavioral2/files/0x0006000000022e17-6.dat	family_quasar
behavioral2/files/0x0006000000022e17-8.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4208	COM Surrogate.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2224	schtasks.exe
4604	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	Client-built.exe
Token: SeDebugPrivilege	4208	COM Surrogate.exe
Token: SeManageVolumePrivilege	4276	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4208	COM Surrogate.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 2224	4268	Client-built.exe	91
PID 4268 wrote to memory of 2224	4268	Client-built.exe	91
PID 4268 wrote to memory of 4208	4268	Client-built.exe	93
PID 4268 wrote to memory of 4208	4268	Client-built.exe	93
PID 4208 wrote to memory of 4604	4208	COM Surrogate.exe	98
PID 4208 wrote to memory of 4604	4208	COM Surrogate.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\COM Surrogate.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2224
- C:\Users\Admin\AppData\Roaming\System32\COM Surrogate.exe
  "C:\Users\Admin\AppData\Roaming\System32\COM Surrogate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\COM Surrogate.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4604

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
172bfd22e9d2496abf3c1f21c1f75d6a

SHA1
34898d1bf2a8b1898e69fb180405632a00ef3ce5

SHA256
38146b7208522f815fc7056f14ffe67156a805563a1938ff221e5cf2ad3836f5

SHA512
d8f11477af61a009e314def8f738ec90e9dc81e2b8db838aea8afdfcfa3999ccb1adc61e130daff0010f77dd7853a60b14010e2a99f284423ed0c7b05bc08e29

Download Submit
C:\Users\Admin\AppData\Roaming\System32\COM Surrogate.exe

Filesize
3.1MB

MD5
488550eeb4ae87c8f9510e04e222261d

SHA1
18c1785375af65ec82a161d13354656282412803

SHA256
6f4dd3d2ea6b1310b9c9e2063aba85396ea82e63f777a5dd5b42dac67c0ae630

SHA512
4ea8274a28e8ee68633b5ebd07e68916d80d9d807ee62c3700f9cfb5bd990ba6c88b8ac7bdac893964139ea9a949a2ee092334d45b48fbe590c1345ada594514

Download Submit
C:\Users\Admin\AppData\Roaming\System32\COM Surrogate.exe

Filesize
3.1MB

MD5
488550eeb4ae87c8f9510e04e222261d

SHA1
18c1785375af65ec82a161d13354656282412803

SHA256
6f4dd3d2ea6b1310b9c9e2063aba85396ea82e63f777a5dd5b42dac67c0ae630

SHA512
4ea8274a28e8ee68633b5ebd07e68916d80d9d807ee62c3700f9cfb5bd990ba6c88b8ac7bdac893964139ea9a949a2ee092334d45b48fbe590c1345ada594514

Download Submit
memory/4208-13-0x000000001B900000-0x000000001B9B2000-memory.dmp

Filesize
712KB

Download
memory/4208-9-0x00007FFDF36B0000-0x00007FFDF4171000-memory.dmp

Filesize
10.8MB

Download
memory/4208-11-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/4208-12-0x000000001B7F0000-0x000000001B840000-memory.dmp

Filesize
320KB

Download
memory/4208-14-0x00007FFDF36B0000-0x00007FFDF4171000-memory.dmp

Filesize
10.8MB

Download
memory/4208-15-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/4268-2-0x000000001B660000-0x000000001B670000-memory.dmp

Filesize
64KB

Download
memory/4268-10-0x00007FFDF36B0000-0x00007FFDF4171000-memory.dmp

Filesize
10.8MB

Download
memory/4268-0-0x0000000000570000-0x0000000000894000-memory.dmp

Filesize
3.1MB

Download
memory/4268-1-0x00007FFDF36B0000-0x00007FFDF4171000-memory.dmp

Filesize
10.8MB

Download
memory/4276-50-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-58-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-49-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-32-0x0000029CA5250000-0x0000029CA5260000-memory.dmp

Filesize
64KB

Download
memory/4276-51-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-52-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-53-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-54-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-55-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-56-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-57-0x0000029CAD860000-0x0000029CAD861000-memory.dmp

Filesize
4KB

Download
memory/4276-48-0x0000029CAD840000-0x0000029CAD841000-memory.dmp

Filesize
4KB

Download
memory/4276-59-0x0000029CAD490000-0x0000029CAD491000-memory.dmp

Filesize
4KB

Download
memory/4276-60-0x0000029CAD480000-0x0000029CAD481000-memory.dmp

Filesize
4KB

Download
memory/4276-62-0x0000029CAD490000-0x0000029CAD491000-memory.dmp

Filesize
4KB

Download
memory/4276-65-0x0000029CAD480000-0x0000029CAD481000-memory.dmp

Filesize
4KB

Download
memory/4276-68-0x0000029CAD3C0000-0x0000029CAD3C1000-memory.dmp

Filesize
4KB

Download
memory/4276-16-0x0000029CA5150000-0x0000029CA5160000-memory.dmp

Filesize
64KB

Download
memory/4276-80-0x0000029CAD5C0000-0x0000029CAD5C1000-memory.dmp

Filesize
4KB

Download
memory/4276-82-0x0000029CAD5D0000-0x0000029CAD5D1000-memory.dmp

Filesize
4KB

Download
memory/4276-83-0x0000029CAD5D0000-0x0000029CAD5D1000-memory.dmp

Filesize
4KB

Download
memory/4276-84-0x0000029CAD6E0000-0x0000029CAD6E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads