quasar | 251bcc9f598fcae75d9aa7eb0e9c265d55847ab56f47c066376cffe695045766

General

Target

d151668cc8126a84f824dc66856e77f7.exe
Size

2.6MB
MD5

d151668cc8126a84f824dc66856e77f7
SHA1

4c2fda4ab4aded1275a0fde6c644a65cc5dec6d0
SHA256

251bcc9f598fcae75d9aa7eb0e9c265d55847ab56f47c066376cffe695045766
SHA512

0eb38a3f80da0f7c8be762253dc44a3429fa5535d2219664c6f80b025c51c127ffe6a9486418415384b86d2f037c0877d4180e3d981f46d730c1888344419474
SSDEEP

3072:vaYxWNzXZmlCBed9Lg6QjTfLCbCXTucxBZ:vLxszX7wijTff

Score

10^/10

quasar kurban spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

KURBAN

C2

zheresss.duckdns.org:4782

Mutex

7d4567a3-a2c5-4e67-a173-49a6c1ff9ba1

Attributes

encryption_key
86FD1C543EB2555B79B5BA711E72F897DDD244DE
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
FxsTmps

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4988-3-0x000000001C100000-0x000000001C184000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d151668cc8126a84f824dc66856e77f7.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	d151668cc8126a84f824dc66856e77f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3936 svchost.exe

pid	process
3936	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

d151668cc8126a84f824dc66856e77f7.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\FxsTmps\svchost.exe	d151668cc8126a84f824dc66856e77f7.exe
File opened for modification	C:\Windows\system32\FxsTmps	d151668cc8126a84f824dc66856e77f7.exe
File opened for modification	C:\Windows\system32\FxsTmps\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system32\FxsTmps	svchost.exe
File created	C:\Windows\system32\FxsTmps\svchost.exe	d151668cc8126a84f824dc66856e77f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3300 schtasks.exe
4712 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3668 powershell.exe
3668 powershell.exe
1412 powershell.exe
1412 powershell.exe

pid	process
3300	schtasks.exe
4712	schtasks.exe

pid	process
3668	powershell.exe
3668	powershell.exe
1412	powershell.exe
1412	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d151668cc8126a84f824dc66856e77f7.exepowershell.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4988	d151668cc8126a84f824dc66856e77f7.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	3936	svchost.exe
Token: SeDebugPrivilege	1412	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid process

3936 svchost.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

svchost.exe

pid process

3936 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3936 svchost.exe

pid	process
3936	svchost.exe

pid	process
3936	svchost.exe

pid	process
3936	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

d151668cc8126a84f824dc66856e77f7.exesvchost.exe

description	pid	process	target process
PID 4988 wrote to memory of 3668	4988	d151668cc8126a84f824dc66856e77f7.exe	powershell.exe
PID 4988 wrote to memory of 3668	4988	d151668cc8126a84f824dc66856e77f7.exe	powershell.exe
PID 4988 wrote to memory of 3300	4988	d151668cc8126a84f824dc66856e77f7.exe	schtasks.exe
PID 4988 wrote to memory of 3300	4988	d151668cc8126a84f824dc66856e77f7.exe	schtasks.exe
PID 4988 wrote to memory of 3936	4988	d151668cc8126a84f824dc66856e77f7.exe	svchost.exe
PID 4988 wrote to memory of 3936	4988	d151668cc8126a84f824dc66856e77f7.exe	svchost.exe
PID 3936 wrote to memory of 1412	3936	svchost.exe	powershell.exe
PID 3936 wrote to memory of 1412	3936	svchost.exe	powershell.exe
PID 3936 wrote to memory of 4712	3936	svchost.exe	schtasks.exe
PID 3936 wrote to memory of 4712	3936	svchost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe
"C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\d151668cc8126a84f824dc66856e77f7.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\FxsTmps\svchost.exe
"C:\Windows\system32\FxsTmps\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Windows\system32\FxsTmps\svchost.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\FxsTmps\svchost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d096831023867930e62e6d8b3d4d8ca6

SHA1
404a1e73dc1590f1c8b9327c396591567dac7365

SHA256
167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b

SHA512
31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgfcptw2.3yr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\FxsTmps\svchost.exe
Filesize
810KB

MD5
22511d309811fb9bd20e9991ed9f26b5

SHA1
cb545da124528ca351adf5a7e73a4482020de514

SHA256
59fef70bebf87ec01b74dbcabe2ff154ce748287cc5f6dfe167a1e804030c960

SHA512
3fb5920e4bf767bd19b6b83710f5cc1472a4b1905b747d32f2f8fd128a65d30d0580e6e416ed748e9195f38417415f63f6002ce69130f7ed3d77ca7d7fc32011

Download Submit
C:\Windows\system32\FxsTmps\svchost.exe
Filesize
1.1MB

MD5
cf0c018ce87d3b146ea1f7f86946c982

SHA1
8dcc64e306e4dd87e894c3656bb544520ed29379

SHA256
457f4a042dee1d53886b3f170374994ebef0e02972d03fd432904800b27bc15c

SHA512
ea1b4c3981adfdf6c9c3897f60edf4db98ea5660df55bf8c6bb043f1764bf5f705610619c4aac436262393541e1c5ad76fe01caad69ccd9e75a0cee0b1f0f4c0

Download Submit
memory/1412-52-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-45-0x000001557EE80000-0x000001557EE90000-memory.dmp

Filesize
64KB

Download
memory/1412-44-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-28-0x000001557EE80000-0x000001557EE90000-memory.dmp

Filesize
64KB

Download
memory/1412-27-0x000001557EE80000-0x000001557EE90000-memory.dmp

Filesize
64KB

Download
memory/1412-26-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-41-0x00000175EB9F0000-0x00000175EBA00000-memory.dmp

Filesize
64KB

Download
memory/3668-40-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-48-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-6-0x00000175EB9F0000-0x00000175EBA00000-memory.dmp

Filesize
64KB

Download
memory/3668-13-0x00000175EC940000-0x00000175EC962000-memory.dmp

Filesize
136KB

Download
memory/3668-7-0x00000175EB9F0000-0x00000175EBA00000-memory.dmp

Filesize
64KB

Download
memory/3668-5-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-42-0x00000175EB9F0000-0x00000175EBA00000-memory.dmp

Filesize
64KB

Download
memory/3668-18-0x00000175EB9F0000-0x00000175EBA00000-memory.dmp

Filesize
64KB

Download
memory/3936-39-0x000000001F2C0000-0x000000001F372000-memory.dmp

Filesize
712KB

Download
memory/3936-38-0x000000001CE60000-0x000000001CEB0000-memory.dmp

Filesize
320KB

Download
memory/3936-43-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-24-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-0-0x0000000000430000-0x00000000006D8000-memory.dmp

Filesize
2.7MB

Download
memory/4988-4-0x000000001C780000-0x000000001C790000-memory.dmp

Filesize
64KB

Download
memory/4988-25-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-3-0x000000001C100000-0x000000001C184000-memory.dmp

Filesize
528KB

Download
memory/4988-2-0x0000000003190000-0x00000000031D0000-memory.dmp

Filesize
256KB

Download
memory/4988-1-0x00007FFCBEFE0000-0x00007FFCBFAA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads