quasar | 850a2cee4c34bee8c6ee76162c2ead42a8f537e59d257e495b3f0d190c8fd606

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a39783b4df44b14c0bc4a9ab62c2870.exe
Size

18.9MB
MD5

7a39783b4df44b14c0bc4a9ab62c2870
SHA1

1278ed63bad5d24546584f274527a7c314df8867
SHA256

850a2cee4c34bee8c6ee76162c2ead42a8f537e59d257e495b3f0d190c8fd606
SHA512

d20beda7af98aea8d27e7423aa1fcb979bd966996848be2cccf9041a6545882be2c241c83d93df318818d7495262020927e0d82abfffe6ef5495415fd9106ca2
SSDEEP

393216:rIJm/0ywuOkd8cKjti/2gRJl9Y06abayqgiJXfd9lYbhsk8:rIJVz483iugR39YMsgqXfzlYbm

Score

10^/10

quasar brave21 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

BRAVE21

pettbull.ddns.net:4782

Mutex

06538f38-9c19-4cdf-83c8-8fafb759e15a

Attributes

encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
install_name
Windows Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2476-95-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7a39783b4df44b14c0bc4a9ab62c2870.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2208	Host file.exe
2392	Host file.exe
2476	Host file.exe
1936	ytd6-setup.exe
468	ytd6-setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	api.ipify.org
50	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2476	2208	Host file.exe	100

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe	7a39783b4df44b14c0bc4a9ab62c2870.exe
File opened for modification	C:\Program Files (x86)\YTD\YTD\Uninstall.exe	7a39783b4df44b14c0bc4a9ab62c2870.exe
File created	C:\Program Files (x86)\YTD\YTD\Uninstall.ini	7a39783b4df44b14c0bc4a9ab62c2870.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3904	Powershell.exe
2208	Host file.exe
2208	Host file.exe
3904	Powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	Host file.exe
Token: SeDebugPrivilege	3904	Powershell.exe
Token: SeDebugPrivilege	2476	Host file.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2208	3204	7a39783b4df44b14c0bc4a9ab62c2870.exe	91
PID 3204 wrote to memory of 2208	3204	7a39783b4df44b14c0bc4a9ab62c2870.exe	91
PID 3204 wrote to memory of 2208	3204	7a39783b4df44b14c0bc4a9ab62c2870.exe	91
PID 2208 wrote to memory of 3904	2208	Host file.exe	97
PID 2208 wrote to memory of 3904	2208	Host file.exe	97
PID 2208 wrote to memory of 3904	2208	Host file.exe	97
PID 2208 wrote to memory of 2392	2208	Host file.exe	99
PID 2208 wrote to memory of 2392	2208	Host file.exe	99
PID 2208 wrote to memory of 2392	2208	Host file.exe	99
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 2208 wrote to memory of 2476	2208	Host file.exe	100
PID 3204 wrote to memory of 1936	3204	7a39783b4df44b14c0bc4a9ab62c2870.exe	101
PID 3204 wrote to memory of 1936	3204	7a39783b4df44b14c0bc4a9ab62c2870.exe	101
PID 3204 wrote to memory of 1936	3204	7a39783b4df44b14c0bc4a9ab62c2870.exe	101
PID 1936 wrote to memory of 468	1936	ytd6-setup.exe	102
PID 1936 wrote to memory of 468	1936	ytd6-setup.exe	102
PID 1936 wrote to memory of 468	1936	ytd6-setup.exe	102

C:\Users\Admin\AppData\Local\Temp\7a39783b4df44b14c0bc4a9ab62c2870.exe
"C:\Users\Admin\AppData\Local\Temp\7a39783b4df44b14c0bc4a9ab62c2870.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Roaming\Host file.exe
  "C:\Users\Admin\AppData\Roaming\Host file.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell" Copy-Item 'C:\Users\Admin\AppData\Roaming\Host file.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe'
    3⤵
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- - C:\Users\Admin\AppData\Roaming\Host file.exe
    "C:\Users\Admin\AppData\Roaming\Host file.exe"
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Users\Admin\AppData\Roaming\Host file.exe
    "C:\Users\Admin\AppData\Roaming\Host file.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe
  "C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\is-4N6JL.tmp\ytd6-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4N6JL.tmp\ytd6-setup.tmp" /SL5="$D0034,18756843,57856,C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe"
    3⤵
    - Executes dropped EXE
    PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe

Filesize
117KB

MD5
9810620c9f1a0b7e886416f4a3f7eb94

SHA1
b99ae8de27e3dd7e4a25d2fcc3df8e26feb9d88f

SHA256
c3c5ca64ede8d810a40ca9966e8a9c00c30ea96a9ce4ca2d6764943c42bcfa99

SHA512
b5a5e81f998067d5e6236388ef922718d8648f0c45afaff5125cccda2f3847143f7a7d73887f5d591375adf3656d8a924224bb8122e185a617bc59636f7d5b45

Download Submit
C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe

Filesize
79KB

MD5
3c314674d4d74dc823311c67f438ba6c

SHA1
f3575aeda09472556c57345857ec31883341de1a

SHA256
d1a65053cff1b25f4f2b835c19aa9741fc98635cfb587255cc2442221cd40edc

SHA512
d892fad0ac521b35010fbb3d9d55175ef2ffee6549e0309650060c98af651be4a5ce6f78d8f1050c1bf306d04ba1abc6e98d19d9b1b3dc501a05ea12787f50ae

Download Submit
C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe

Filesize
108KB

MD5
788bcef92618d51edb3ab3ebd08a138d

SHA1
5ac583b279c02ede7c09a50634aeea645eec248e

SHA256
da0c97775316befb0b17ac151a631dd8d0213e73d0c4053f1a53827949c4913a

SHA512
25a6e38e71a1d7c01724e9fd9f9b014c9ba2db022793d57ecc27fe469b4240b038a996adc9c62e07f81d1bcc4305d48329d9337ac49a893762010ed1261adbeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Host file.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
507KB

MD5
cd3e75de9a1f183fab974c11a00b7ea5

SHA1
38e33aa2038faae2178f582d0b9374dd8b31e22b

SHA256
2800f2cbf8edf0aaa0533969dafac93b02ec5a2d494957f63daa71df81a11fd5

SHA512
22349032d90e97c5047e3e6f0a906dd23365dc4e295c1795b158be19b5c8a76b5fe96c5d5559735996339c18dd007d03fc4b353970fd0d24b85e9eeea080cc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyegaomu.3h1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4N6JL.tmp\ytd6-setup.tmp

Filesize
302KB

MD5
b63301a22e6d3dead6f8617e06e98371

SHA1
9a986df6f4cd86a058febfcb911ffdf9046c73b3

SHA256
e5566581a3f88fb64864e9f4227cce0056a8e7d1f9db1501eb66fb300f09b211

SHA512
c494c95b50eea823c504adc208b95fce13f7a86c402704aef6c4af271839f4548346fcf9d487af308d39e17f9b6b9b2c31f982c96a0f94e46495f55e2193ccb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4N6JL.tmp\ytd6-setup.tmp

Filesize
125KB

MD5
fb5d05b08b2fc13109ddc224e8ab496e

SHA1
c3613a8c2794bdbfd2c129f7a74c593538cad744

SHA256
63669ca5cbd9849e992c9ae402ce66f4cdaf17c9bebfebbce421e47dd191c3b7

SHA512
64533a2d99818f8b60f7f1e50eb3b15f4b11ed6dcacfc9878fd134290b200e12ec4d192502bf8e7522828d06b98ee12830079db804ef656e0f83a59053ffdb41

Download Submit
C:\Users\Admin\AppData\Roaming\Host file.exe

Filesize
531KB

MD5
30bdc31542ecfba7a954a715d70cc480

SHA1
fae8dfb2f5eb516d1002c9bbe0886e9f57e96efe

SHA256
a52b8be57a504d5b861d3aab2607c9615a535ea5b024749eb949363df8c6da95

SHA512
a4a65817c969d6773742c56a4a2f073cc78697c39231911f83b7e76da201b9128a8f311b602cfa5475f51b5224ff6d35dd1e72ef3025a218ce7b55aaa013cd4a

Download Submit
C:\Users\Admin\AppData\Roaming\Host file.exe

Filesize
640KB

MD5
c8d2bf10b5984639d0978a376c188f22

SHA1
4aec3555c0077b99383828d37113de5c9df0d0e0

SHA256
cceb592fdf3febdc10e629b5dca6d3f1323910562ff090b7206147988f26fbe8

SHA512
321137646b3cc94ffe4241110838b4e972e5f9df49ce0fe96ebbcd671f2063e1dad0e235054bb4cedd3e97143c903f1156404ddb72c3588e8733d6d9f37d7048

Download Submit
C:\Users\Admin\AppData\Roaming\Host file.exe

Filesize
315KB

MD5
eabedf6c039b591c9f722d5e1a94c6a4

SHA1
debbd01dc92bbc4566511aa4121739c084844770

SHA256
aa9ff25d1afdaae958392c50f1b0d90ee6d66a8df878ac90e69e26c1176e3636

SHA512
98106f3e54e13cf6aa6470f417f62648e08cd749ebe71067e62e01aa084dc6fc010ca7fc9c29952aeeea4f629358b7fb7bcd2845d983400f00bcee40d0544ccd

Download Submit
C:\Users\Admin\AppData\Roaming\Host file.exe

Filesize
248KB

MD5
04738149bb9c3624ad350e980b32dcf0

SHA1
308b29b7b1bb99ec1faff1d0f81b6cfef2900d2e

SHA256
73f9d80a6bac8ce6b07370ed36eee2346cc84b0a43daa124eaa610d8081106aa

SHA512
bd16ee542e08e1d8d846f1a144c6000aa685d85c6541fc0854f8146bfac84171c73a3f492b8eda4a3e99f77a8692f20b6b1d8164fc71de8ee33d65aa061ef10a

Download Submit
memory/468-123-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/468-136-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/468-143-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1936-113-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1936-135-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2208-55-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-50-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2208-41-0x00000000006D0000-0x0000000000776000-memory.dmp

Filesize
664KB

Download
memory/2208-62-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-64-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-72-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-70-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-74-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-68-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-76-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-42-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/2208-78-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-43-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/2208-81-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-44-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/2208-66-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-48-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/2208-53-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-49-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/2208-101-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/2208-89-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2208-60-0x0000000005470000-0x0000000005485000-memory.dmp

Filesize
84KB

Download
memory/2208-51-0x0000000005470000-0x000000000548C000-memory.dmp

Filesize
112KB

Download
memory/2476-127-0x0000000006630000-0x0000000006C48000-memory.dmp

Filesize
6.1MB

Download
memory/2476-139-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2476-109-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2476-114-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/2476-95-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2476-138-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/2476-133-0x00000000060D0000-0x0000000006182000-memory.dmp

Filesize
712KB

Download
memory/2476-128-0x0000000005700000-0x0000000005750000-memory.dmp

Filesize
320KB

Download
memory/2476-100-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/3204-134-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3204-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3904-88-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/3904-54-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/3904-126-0x0000000006030000-0x0000000006052000-memory.dmp

Filesize
136KB

Download
memory/3904-99-0x0000000005650000-0x00000000059A4000-memory.dmp

Filesize
3.3MB

Download
memory/3904-125-0x0000000005FB0000-0x0000000005FCA000-memory.dmp

Filesize
104KB

Download
memory/3904-119-0x0000000005B80000-0x0000000005BCC000-memory.dmp

Filesize
304KB

Download
memory/3904-132-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/3904-57-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3904-124-0x0000000006B00000-0x0000000006B96000-memory.dmp

Filesize
600KB

Download
memory/3904-52-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/3904-82-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/3904-79-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/3904-116-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/3904-56-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3904-59-0x0000000004C40000-0x0000000005268000-memory.dmp

Filesize
6.2MB

Download