quasar | ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b

General

Target

9b664d1737e4b08517167fff2d19bade.exe
Size

535KB
MD5

9b664d1737e4b08517167fff2d19bade
SHA1

dbbc1588618273813ca9f3de2708f4f4b7934029
SHA256

ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b
SHA512

955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c
SSDEEP

12288:VuxMRH2MMvs5v5iX7K+k2dV++kQgog5Y:VWu2MMv5++kRc

Score

10^/10

quasar hacked spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Hacked

C2

Cheaper-60753.portmap.host:62240

Mutex

VNM_MUTEX_7KSPEPYRO6LRW25BBT

Attributes

encryption_key
SPWhfeGvCah4GWzpm6Am
install_name
Host Process for Windows Tasks.exe
log_directory
Microsoft
reconnect_delay
1000
startup_key
Host Process for Windows Services
subdirectory
MIcrosoft

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2848-0-0x0000000000640000-0x00000000006CC000-memory.dmp	disable_win_def
behavioral2/files/0x000600000002320f-12.dat	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2848-0-0x0000000000640000-0x00000000006CC000-memory.dmp	family_quasar
behavioral2/files/0x000600000002320f-12.dat	family_quasar

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
15	ip-api.com

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4808	1240	WerFault.exe	92

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3616	schtasks.exe
1784	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4604	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe
"C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe"
1⤵
PID:2848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  PID:872
- C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe
  "C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe"
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Host Process for Windows Services" /sc ONLOGON /tr "C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IylUp5Lhe8sF.bat" "
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:4604
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1996
    3⤵
    - Program crash
    PID:4808
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Host Process for Windows Services" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\9b664d1737e4b08517167fff2d19bade.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1240 -ip 1240
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IylUp5Lhe8sF.bat

Filesize
223B

MD5
9b9c12b73c35a8db6170f48bec0ab66e

SHA1
058280fd49d3359221544c96a6055ce6e5639a0e

SHA256
9fada7f880208b2901ba85be0981de322c474ff5b92b2e3e9e1dbfd2224bbb66

SHA512
3f78dad8146c13122d3175d39d955089b7d728774f5d0c33477f5299ea957bd0c8921a98c71a1015a836bbc2e07e067b3f316b1d5f97ee85e5577edfb2406d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xeg2j34.jvj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\MIcrosoft\Host Process for Windows Tasks.exe

Filesize
535KB

MD5
9b664d1737e4b08517167fff2d19bade

SHA1
dbbc1588618273813ca9f3de2708f4f4b7934029

SHA256
ed07371994b2bce11a662df8ab5603ed80a73c30cdd4f29d922eae221320a39b

SHA512
955e24ab139489a2835f553d6e58ebeb2af7dae20317c6510e3289a902bbf2a7ed329776dfc7afaa948d61fd0cd47b7216017003eaa410d4d07348e19848484c

Download Submit
memory/872-47-0x0000000006F20000-0x0000000006F3E000-memory.dmp

Filesize
120KB

Download
memory/872-51-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/872-31-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/872-32-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/872-61-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/872-58-0x0000000007400000-0x0000000007408000-memory.dmp

Filesize
32KB

Download
memory/872-57-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/872-56-0x0000000007320000-0x0000000007334000-memory.dmp

Filesize
80KB

Download
memory/872-16-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/872-15-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/872-17-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/872-18-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/872-19-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/872-55-0x0000000007310000-0x000000000731E000-memory.dmp

Filesize
56KB

Download
memory/872-20-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/872-30-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/872-54-0x00000000072E0000-0x00000000072F1000-memory.dmp

Filesize
68KB

Download
memory/872-53-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/872-52-0x0000000007150000-0x000000000715A000-memory.dmp

Filesize
40KB

Download
memory/872-35-0x000000007F220000-0x000000007F230000-memory.dmp

Filesize
64KB

Download
memory/872-37-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/872-36-0x0000000006F60000-0x0000000006F92000-memory.dmp

Filesize
200KB

Download
memory/872-48-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/872-49-0x0000000006FA0000-0x0000000007043000-memory.dmp

Filesize
652KB

Download
memory/872-50-0x0000000007720000-0x0000000007D9A000-memory.dmp

Filesize
6.5MB

Download
memory/1240-34-0x0000000006480000-0x000000000648A000-memory.dmp

Filesize
40KB

Download
memory/1240-13-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/1240-14-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2848-1-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/2848-4-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2848-6-0x0000000005640000-0x0000000005652000-memory.dmp

Filesize
72KB

Download
memory/2848-5-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/2848-2-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/2848-3-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/2848-7-0x0000000006330000-0x000000000636C000-memory.dmp

Filesize
240KB

Download
memory/2848-0-0x0000000000640000-0x00000000006CC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads