quasar | cbe49c46c68fbf9a6733b839945e3eb01c02ee26e7a327ebb54aacad4e765a2b

General

Target

Image Logger.exe
Size

3.1MB
MD5

6af433dc5c20b6c59cb8c2b63ddf4963
SHA1

e378ad8a93a6859afb38f10332a044b1b898baca
SHA256

cbe49c46c68fbf9a6733b839945e3eb01c02ee26e7a327ebb54aacad4e765a2b
SHA512

4ba72e6858d3aecc2f87d0b23516ae7915df49fcbb91747c5d24462750e867956b1bb72e5fda397c8eb7a95d67440125de01167f78d79bc946b1397ec35e0de0
SSDEEP

49152:bvrI22SsaNYfdPBldt698dBcjHRMxNESExk/iHLoGdhYTHHB72eh2NT:bvU22SsaNYfdPBldt6+dBcjHWxwrR

Score

10^/10

quasar image logger spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Image Logger

C2

promptylol-31420.portmap.io:5950

Mutex

4cdcc137-c98a-4223-9eca-fa3c3f414513

Attributes

encryption_key
92AAA484892AFDE2F29DD42856FA1D969FC2CCFE
install_name
sys.exe
log_directory
Logs
reconnect_delay
2995
startup_key
bootmgr
subdirectory
critical

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/memory/1912-0-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar
behavioral2/files/0x0003000000029d82-8.dat	family_quasar
behavioral2/files/0x0003000000029d82-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2456	sys.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\critical\sys.exe	Image Logger.exe
File opened for modification	C:\Windows\system32\critical\sys.exe	Image Logger.exe
File opened for modification	C:\Windows\system32\critical	Image Logger.exe
File opened for modification	C:\Windows\system32\critical\sys.exe	sys.exe
File opened for modification	C:\Windows\system32\critical	sys.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2992	schtasks.exe
8	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	Image Logger.exe
Token: SeDebugPrivilege	2456	sys.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2456	sys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 8	1912	Image Logger.exe	79
PID 1912 wrote to memory of 8	1912	Image Logger.exe	79
PID 1912 wrote to memory of 2456	1912	Image Logger.exe	81
PID 1912 wrote to memory of 2456	1912	Image Logger.exe	81
PID 2456 wrote to memory of 2992	2456	sys.exe	83
PID 2456 wrote to memory of 2992	2456	sys.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "bootmgr" /sc ONLOGON /tr "C:\Windows\system32\critical\sys.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:8
- C:\Windows\system32\critical\sys.exe
  "C:\Windows\system32\critical\sys.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "bootmgr" /sc ONLOGON /tr "C:\Windows\system32\critical\sys.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\critical\sys.exe

Filesize
1.2MB

MD5
5803ccf5155f520079613ac49d67a636

SHA1
96f69470c9bd8dcbf57236b6f122e99cc9ec9f82

SHA256
cf3cefecf17f16ba1f8c0615482d3885a0e666c0317ea570c8d67a03a4cc7f9a

SHA512
9cdec09aa0bd484d0b3079f7a2e18b6823b8f4138298d5c9d89956b42ab47deb14f828699c90766deb9529dacd5b1a6a3472a084478d15921358411d7711ffcb

Download Submit
C:\Windows\system32\critical\sys.exe

Filesize
1024KB

MD5
e727148f1f7be4f02aadd6f0cbea5d22

SHA1
f8b4d2cf1c0512a90bd8ef38d9a0e4aa3ee55585

SHA256
1c4d87a4af50a4e3e31c792083502e21d1a3d96f3e474d3966beca4d57358de0

SHA512
17843531e006ffd7227e71c9793849face2b6a0fdb8adf2a82aec927537425a7b3f5511dec0ad65fac496b883bdf0093f40d3ca4fedf18a1c7884427035663c8

Download Submit
memory/1912-0-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/1912-1-0x00007FFD0D640000-0x00007FFD0E102000-memory.dmp

Filesize
10.8MB

Download
memory/1912-2-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/1912-9-0x00007FFD0D640000-0x00007FFD0E102000-memory.dmp

Filesize
10.8MB

Download
memory/2456-10-0x00007FFD0D640000-0x00007FFD0E102000-memory.dmp

Filesize
10.8MB

Download
memory/2456-11-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/2456-12-0x000000001BFF0000-0x000000001C040000-memory.dmp

Filesize
320KB

Download
memory/2456-13-0x000000001C100000-0x000000001C1B2000-memory.dmp

Filesize
712KB

Download
memory/2456-14-0x00007FFD0D640000-0x00007FFD0E102000-memory.dmp

Filesize
10.8MB

Download
memory/2456-15-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads