quasar | 251bcc9f598fcae75d9aa7eb0e9c265d55847ab56f47c066376cffe695045766

General

Target

d151668cc8126a84f824dc66856e77f7.exe
Size

2.6MB
MD5

d151668cc8126a84f824dc66856e77f7
SHA1

4c2fda4ab4aded1275a0fde6c644a65cc5dec6d0
SHA256

251bcc9f598fcae75d9aa7eb0e9c265d55847ab56f47c066376cffe695045766
SHA512

0eb38a3f80da0f7c8be762253dc44a3429fa5535d2219664c6f80b025c51c127ffe6a9486418415384b86d2f037c0877d4180e3d981f46d730c1888344419474
SSDEEP

3072:vaYxWNzXZmlCBed9Lg6QjTfLCbCXTucxBZ:vLxszX7wijTff

Score

10^/10

quasar kurban spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

KURBAN

C2

zheresss.duckdns.org:4782

Mutex

7d4567a3-a2c5-4e67-a173-49a6c1ff9ba1

Attributes

encryption_key
86FD1C543EB2555B79B5BA711E72F897DDD244DE
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
FxsTmps

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2484-4-0x0000000000920000-0x00000000009A4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2672 schtasks.exe
1712 schtasks.exe

pid	process
2672	schtasks.exe
1712	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d151668cc8126a84f824dc66856e77f7.exe

description	pid	process	target process
PID 2484 wrote to memory of 2080	2484	d151668cc8126a84f824dc66856e77f7.exe	powershell.exe
PID 2484 wrote to memory of 2080	2484	d151668cc8126a84f824dc66856e77f7.exe	powershell.exe
PID 2484 wrote to memory of 2080	2484	d151668cc8126a84f824dc66856e77f7.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe
"C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
2⤵
PID:2080

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\FxsTmps\svchost.exe
"C:\Windows\system32\FxsTmps\svchost.exe"
2⤵
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Windows\system32\FxsTmps\svchost.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
3⤵
PID:2116

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\FxsTmps\svchost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4b8ed7b6b22d7bfc4b6bf2359afc9c9e

SHA1
2fd211b06e41eb128e0dc676952fdc78e869cabf

SHA256
652cd8102da1e616e185ab01998adc4df5969d5b1419b41dedafdffffee0b9a9

SHA512
c5e658bc3d0c0e882c15b8a111fc08529088f16b9cf35f0d2dfc2289912e77a2a7d2e72405fc5eeae5acceda0b6b7b7d0c6403274e5ef44154218f49e3cdaa8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MXBVFEP4M31J5HIJ4Y6S.temp
Filesize
7KB

MD5
a9cd8ba9f66304c952875ce36de6b38a

SHA1
39fa36e0e05ebebaeca1a07be05c9b63aeff5fac

SHA256
8870488b81497e348e05822576c68c7f2761bbb55f219944ea1fd5f3df89f83e

SHA512
3ebf53fd28259ee6a1cbcd5ddf429f45ad0016111701244830f8743411742f4429fe1e5951ae438c046bbe9b28be70d05ac5f42797478637081e6cd20a919008

Download Submit
C:\Windows\System32\FxsTmps\svchost.exe
Filesize
75KB

MD5
50be2bd281f25c42074210c40883492c

SHA1
2aee513fb79a1db6d4de1f89535949c94460551b

SHA256
d5fab6af26ef09bad2fcc49971c5bb60b55e1be2ed20aaf679be3f7e6b31204a

SHA512
3c551a1b56f83fe8ff146b6c1fa4d73a54138592f7958080b9284b6e15e350ebff4fc9e6bdb98b511c0e27d59ef671578fc6ff62ff1539b386ff9db04c1a0f02

Download Submit
C:\Windows\system32\FxsTmps\svchost.exe
Filesize
371KB

MD5
4cb98a264ecdebfceb98f4bb50ed56e4

SHA1
9329cacb63364c3275320178c21701b7821203d6

SHA256
028d466a2797799b48c17f8e7891bddd07a3bb2792d48432400e9c83d11131fb

SHA512
074028fa726bb307bdab4474c62edaf6c8a1b4c0e76b89e34652c1cf197fb05b6305bb4d84fa6e9df46d9d47c34c0b9c3941dc911c2eed0c782b77cbd34095eb

Download Submit
\Windows\System32\FxsTmps\svchost.exe
Filesize
126KB

MD5
2d9e7c7056b2b4b42fd42946fdee8ebe

SHA1
62ac488c62f05fe1dca747196cc46583ac4f6603

SHA256
d56718a61d757575f6868eda6682682bc6ea02b133c0427ff260fb61154f9076

SHA512
8f98dbe80c2d2d1bbca06998c182ce7a50be487369eb3feb58405fd9d08c1c0a5743e819c673e098471ac7e413060eadba2b5719905848de3dd449c4ccb04d20

Download Submit
memory/2080-16-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2080-10-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2080-11-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-12-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2080-13-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-51-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-15-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2080-14-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2080-9-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2080-38-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2080-39-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2080-37-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-31-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-42-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-52-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-47-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2116-46-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2116-44-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-32-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2116-34-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2116-35-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2116-33-0x000007FEEDE00000-0x000007FEEE79D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-36-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2116-45-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2116-43-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2484-3-0x000000001C120000-0x000000001C1A0000-memory.dmp

Filesize
512KB

Download
memory/2484-24-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-4-0x0000000000920000-0x00000000009A4000-memory.dmp

Filesize
528KB

Download
memory/2484-0-0x000000013F0C0000-0x000000013F368000-memory.dmp

Filesize
2.7MB

Download
memory/2484-2-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2484-1-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/3032-40-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/3032-41-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/3032-23-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/3032-22-0x000000013FDB0000-0x0000000140058000-memory.dmp

Filesize
2.7MB

Download
memory/3032-25-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads