quasar | 92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

General

Target

intelservice.exe
Size

348KB
MD5

2f890b7ca2e7b4b24bb534c28e54d7cf
SHA1

e8d9f966c18f10f1eff01478d41dabacd0300da5
SHA256

92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7
SHA512

666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841
SSDEEP

6144:60qQ4i1FFiEKDvLJavf52ibVcbVKglEb0ouAYyj9jZV293DIa:rpliTVOf56WBYylc3DIa

Score

10^/10

quasar hackee spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

hackee

C2

20.205.140.63:1024

Mutex

QSR_MUTEX_5Tlo4RbwyDWBOOlMEb

Attributes

encryption_key
zFGtr8G9lnuwN5OHbzbL
install_name
intelservice.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Intel CPU Service
subdirectory
intelcpu

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/memory/440-0-0x0000000000DC0000-0x0000000000E1E000-memory.dmp	family_quasar
behavioral2/files/0x0007000000022e03-11.dat	family_quasar
behavioral2/files/0x0007000000022e03-13.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4412	intelservice.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1228	schtasks.exe
2092	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	intelservice.exe
Token: SeDebugPrivilege	4412	intelservice.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4412	intelservice.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 1228	440	intelservice.exe	94
PID 440 wrote to memory of 1228	440	intelservice.exe	94
PID 440 wrote to memory of 1228	440	intelservice.exe	94
PID 440 wrote to memory of 4412	440	intelservice.exe	96
PID 440 wrote to memory of 4412	440	intelservice.exe	96
PID 440 wrote to memory of 4412	440	intelservice.exe	96
PID 4412 wrote to memory of 2092	4412	intelservice.exe	98
PID 4412 wrote to memory of 2092	4412	intelservice.exe	98
PID 4412 wrote to memory of 2092	4412	intelservice.exe	98

C:\Users\Admin\AppData\Local\Temp\intelservice.exe
"C:\Users\Admin\AppData\Local\Temp\intelservice.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Intel CPU Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\intelservice.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1228
- C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe
  "C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Intel CPU Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\intelservice.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe

Filesize
348KB

MD5
2f890b7ca2e7b4b24bb534c28e54d7cf

SHA1
e8d9f966c18f10f1eff01478d41dabacd0300da5

SHA256
92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

SHA512
666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

Download Submit
C:\Users\Admin\AppData\Roaming\intelcpu\intelservice.exe

Filesize
348KB

MD5
2f890b7ca2e7b4b24bb534c28e54d7cf

SHA1
e8d9f966c18f10f1eff01478d41dabacd0300da5

SHA256
92dde00e5a5426b5a20e9e9e87ea29c66c6ab7cd467cbe9a90bf971f2d21a6a7

SHA512
666670b52d4113a4909cc27fb38b851c0066a74aa2bfe67bb906a0c1fffedffaf26bd8f4aa0371adea3c9e51917c1de27b3cde2ed05db56aad16f476a955f841

Download Submit
memory/440-4-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/440-0-0x0000000000DC0000-0x0000000000E1E000-memory.dmp

Filesize
376KB

Download
memory/440-5-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/440-6-0x0000000005E80000-0x0000000005E92000-memory.dmp

Filesize
72KB

Download
memory/440-7-0x0000000006A80000-0x0000000006ABC000-memory.dmp

Filesize
240KB

Download
memory/440-3-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/440-2-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/440-1-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/440-15-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/4412-16-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/4412-17-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4412-19-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/4412-20-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/4412-21-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads