quasar | ea3eb80612d2c63022e0b649b6bfe11ee97a20920bc97f2ff423571b8594a9e3

General

Target

Client.exe
Size

3.5MB
MD5

8ede987ddc05ffd59f9ed804388ed7f2
SHA1

c3bb18f464e89a8e837dca50751bd457ee9bcc6c
SHA256

ea3eb80612d2c63022e0b649b6bfe11ee97a20920bc97f2ff423571b8594a9e3
SHA512

c458155395d26098ec0516ede3e7441230e234322e32c57e58c5458e3bac42f08e8fe9a70419cd88f5877e821fd88dea9271eaba6053f22da0072ad8b6531ebe
SSDEEP

49152:WvmhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkatJRJ6FbR3LoGd+lTHHB72eh2NTE:WvIt2d5aKCuVPzlEmVQ0wvwftJRJ6XO

Score

10^/10

quasar music spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Music

C2

192.168.10.175:4782

Mutex

8c0255b4-acc1-4f01-82f4-2ef8280f890d

Attributes

encryption_key
E7CCBA8EBCA0CD48FAE7DC324857D65F0CD086F8
install_name
Geforce_Experience.exe
log_directory
Logs
reconnect_delay
3000
startup_key
GeForce_Experience_Updater
subdirectory
NVIDIA_Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/2144-0-0x0000000000A80000-0x0000000000E0E000-memory.dmp	family_quasar
behavioral1/files/0x000a000000012262-6.dat	family_quasar
behavioral1/files/0x000a000000012262-7.dat	family_quasar
behavioral1/memory/2712-8-0x0000000000E00000-0x000000000118E000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2712	Geforce_Experience.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2244	schtasks.exe
2860	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	Client.exe
Token: SeDebugPrivilege	2712	Geforce_Experience.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2712	Geforce_Experience.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2244	2144	Client.exe	28
PID 2144 wrote to memory of 2244	2144	Client.exe	28
PID 2144 wrote to memory of 2244	2144	Client.exe	28
PID 2144 wrote to memory of 2712	2144	Client.exe	30
PID 2144 wrote to memory of 2712	2144	Client.exe	30
PID 2144 wrote to memory of 2712	2144	Client.exe	30
PID 2712 wrote to memory of 2860	2712	Geforce_Experience.exe	32
PID 2712 wrote to memory of 2860	2712	Geforce_Experience.exe	32
PID 2712 wrote to memory of 2860	2712	Geforce_Experience.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "GeForce_Experience_Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\NVIDIA_Programfiles\Geforce_Experience.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2244
- C:\Users\Admin\AppData\Roaming\NVIDIA_Programfiles\Geforce_Experience.exe
  "C:\Users\Admin\AppData\Roaming\NVIDIA_Programfiles\Geforce_Experience.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "GeForce_Experience_Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\NVIDIA_Programfiles\Geforce_Experience.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NVIDIA_Programfiles\Geforce_Experience.exe

Filesize
896KB

MD5
5880f0a936656b056d71501156383673

SHA1
5e442be007db40ace75815b844958d5ac89554f7

SHA256
fa1757fe3b9dbaf8f4ef624d28bbc161774e6481490807770740cce82a9c4a7a

SHA512
f97f4855f35f277853e56c70bd39251a6efdd431918ea3f840ecc64aa845a9489e36fe14925380bc42a3796514697581900a0f9344bb4654b50b047bb853d716

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDIA_Programfiles\Geforce_Experience.exe

Filesize
85KB

MD5
b2ff547da3e9ae8aeeb3f398c90beb3b

SHA1
732a31b7e809af21b1fad59e154063a33a6c7a32

SHA256
36d5af95e3ee370727b641bf71b3338e2e87dce47a96f0250b6abe2e1cc78651

SHA512
22285fd3b3a12fa9efafe53b88d46d95c20c8600c086d9ec79ab3e8d6de2f8b5ba9c4b2ed0e6f8ef741c0561ebde4299dd684f1dc9a95b4018735f4128e894ad

Download Submit
memory/2144-0-0x0000000000A80000-0x0000000000E0E000-memory.dmp

Filesize
3.6MB

Download
memory/2144-1-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-2-0x000000001AE20000-0x000000001AEA0000-memory.dmp

Filesize
512KB

Download
memory/2144-9-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-10-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-11-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/2712-8-0x0000000000E00000-0x000000000118E000-memory.dmp

Filesize
3.6MB

Download
memory/2712-12-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-13-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads