quasar | cbe49c46c68fbf9a6733b839945e3eb01c02ee26e7a327ebb54aacad4e765a2b

General

Target

Image Logger.exe
Size

3.1MB
MD5

6af433dc5c20b6c59cb8c2b63ddf4963
SHA1

e378ad8a93a6859afb38f10332a044b1b898baca
SHA256

cbe49c46c68fbf9a6733b839945e3eb01c02ee26e7a327ebb54aacad4e765a2b
SHA512

4ba72e6858d3aecc2f87d0b23516ae7915df49fcbb91747c5d24462750e867956b1bb72e5fda397c8eb7a95d67440125de01167f78d79bc946b1397ec35e0de0
SSDEEP

49152:bvrI22SsaNYfdPBldt698dBcjHRMxNESExk/iHLoGdhYTHHB72eh2NT:bvU22SsaNYfdPBldt6+dBcjHWxwrR

Score

10^/10

quasar image logger spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Image Logger

C2

promptylol-31420.portmap.io:5950

Mutex

4cdcc137-c98a-4223-9eca-fa3c3f414513

Attributes

encryption_key
92AAA484892AFDE2F29DD42856FA1D969FC2CCFE
install_name
sys.exe
log_directory
Logs
reconnect_delay
2995
startup_key
bootmgr
subdirectory
critical

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/116-0-0x0000000000AC0000-0x0000000000DE4000-memory.dmp	family_quasar
behavioral1/files/0x00070000000231f5-7.dat	family_quasar
behavioral1/files/0x00070000000231f5-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4084	sys.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\critical\sys.exe	Image Logger.exe
File opened for modification	C:\Windows\system32\critical\sys.exe	Image Logger.exe
File opened for modification	C:\Windows\system32\critical	Image Logger.exe
File opened for modification	C:\Windows\system32\critical\sys.exe	sys.exe
File opened for modification	C:\Windows\system32\critical	sys.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1720	schtasks.exe
2648	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	Image Logger.exe
Token: SeDebugPrivilege	4084	sys.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4084	sys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1720	116	Image Logger.exe	37
PID 116 wrote to memory of 1720	116	Image Logger.exe	37
PID 116 wrote to memory of 4084	116	Image Logger.exe	36
PID 116 wrote to memory of 4084	116	Image Logger.exe	36
PID 4084 wrote to memory of 2648	4084	sys.exe	51
PID 4084 wrote to memory of 2648	4084	sys.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\system32\critical\sys.exe
  "C:\Windows\system32\critical\sys.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "bootmgr" /sc ONLOGON /tr "C:\Windows\system32\critical\sys.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2648
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "bootmgr" /sc ONLOGON /tr "C:\Windows\system32\critical\sys.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\critical\sys.exe

Filesize
2.2MB

MD5
a54f73924c1eb6f6f282125c3d0b6b88

SHA1
0364b67f8f8451f9b92eb582a69efff41ecfbbc5

SHA256
2e56c9ed6f9a48f30a5524f9ed55f06f3d98d1644ff8fb2d7ecfe08f78f541f8

SHA512
4564fa314b016df1eff7219ba00e30ecdf10b50c693d482820553986a6aa06a137eb37a8f253a1b580ac02a7ff50a79be29b6dc1b147f49af99bb9f1afa3b30e

Download Submit
C:\Windows\system32\critical\sys.exe

Filesize
1.9MB

MD5
e23b864b16e46cbc46cb9679e3ba22b9

SHA1
e263a4f3e0155036c4093ed99e530af2d5677889

SHA256
12a2c69dcaf423668003043601051466eee676483254d2f83561b9c611c02c7c

SHA512
fa2e1019441469cc1e99d2f652f94f3b531a3ca98b04ee0f85e2ace0ae5911e40e1429707302ef0159a53038fd6775581da4d9637c2dce44e4953a62af2b12c4

Download Submit
memory/116-0-0x0000000000AC0000-0x0000000000DE4000-memory.dmp

Filesize
3.1MB

Download
memory/116-2-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/116-1-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

Filesize
10.8MB

Download
memory/116-10-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

Filesize
10.8MB

Download
memory/4084-9-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

Filesize
10.8MB

Download
memory/4084-11-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/4084-12-0x000000001B010000-0x000000001B060000-memory.dmp

Filesize
320KB

Download
memory/4084-13-0x000000001B9A0000-0x000000001BA52000-memory.dmp

Filesize
712KB

Download
memory/4084-14-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

Filesize
10.8MB

Download
memory/4084-15-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/4084-16-0x000000001C2D0000-0x000000001C7F8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads