quasar | 1a021a6913ffe897a99cab8101bb53e4e809c3d0aaeb4bcfeab5fa1c5d6baa33

General

Target

96aa210f39830b577164ab716a8290e8.exe
Size

681KB
MD5

96aa210f39830b577164ab716a8290e8
SHA1

04ca9ad6db2b782fb540f923fc07f2a330267ee2
SHA256

1a021a6913ffe897a99cab8101bb53e4e809c3d0aaeb4bcfeab5fa1c5d6baa33
SHA512

f0e61e0248123366ac99f608db00b3508448dca95f737a90c31f62c45ee04b93aa818a7e1ffc0a1bd00e8bb399f71ee5b0932c38b5c9f36fe40cf5bd74c0ab68
SSDEEP

12288:IzxzTDWikLSb4NS7t2X+t40XW9I8LeI2gozUoCGjHg6EDlWpvbHg17O5:+DWHSb4Nc03GDI2ZzmOAtYpvbs7g

Score

10^/10

quasar bot spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Bot

C2

10.240.1.51:5353

Mutex

e747dbb5-149c-4223-a445-cd8edd6c5d0d

Attributes

encryption_key
2FF224B5EA5C506629D2406BD20ADAA057823ADC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
system32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe	family_quasar
behavioral1/memory/2012-36-0x0000000000270000-0x00000000002F4000-memory.dmp	family_quasar
behavioral1/memory/2012-41-0x000000001AF10000-0x000000001AF90000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

bot.sfx.exebot.exe

pid process

2968 bot.sfx.exe
2012 bot.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exebot.sfx.exe

pid process

2712 cmd.exe
2968 bot.sfx.exe
2968 bot.sfx.exe
2968 bot.sfx.exe
2968 bot.sfx.exe

pid	process
2968	bot.sfx.exe
2012	bot.exe

pid	process
2712	cmd.exe
2968	bot.sfx.exe
2968	bot.sfx.exe
2968	bot.sfx.exe
2968	bot.sfx.exe

Drops file in System32 directory 2 IoCs

Processes:

bot.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\svchost.exe	bot.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	bot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2636 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bot.exe

description pid process

Token: SeDebugPrivilege 2012 bot.exe

pid	process
2636	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2012	bot.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

96aa210f39830b577164ab716a8290e8.execmd.exebot.sfx.exebot.exe

description	pid	process	target process
PID 2644 wrote to memory of 2712	2644	96aa210f39830b577164ab716a8290e8.exe	cmd.exe
PID 2644 wrote to memory of 2712	2644	96aa210f39830b577164ab716a8290e8.exe	cmd.exe
PID 2644 wrote to memory of 2712	2644	96aa210f39830b577164ab716a8290e8.exe	cmd.exe
PID 2644 wrote to memory of 2712	2644	96aa210f39830b577164ab716a8290e8.exe	cmd.exe
PID 2712 wrote to memory of 2968	2712	cmd.exe	bot.sfx.exe
PID 2712 wrote to memory of 2968	2712	cmd.exe	bot.sfx.exe
PID 2712 wrote to memory of 2968	2712	cmd.exe	bot.sfx.exe
PID 2712 wrote to memory of 2968	2712	cmd.exe	bot.sfx.exe
PID 2968 wrote to memory of 2012	2968	bot.sfx.exe	bot.exe
PID 2968 wrote to memory of 2012	2968	bot.sfx.exe	bot.exe
PID 2968 wrote to memory of 2012	2968	bot.sfx.exe	bot.exe
PID 2968 wrote to memory of 2012	2968	bot.sfx.exe	bot.exe
PID 2012 wrote to memory of 2636	2012	bot.exe	schtasks.exe
PID 2012 wrote to memory of 2636	2012	bot.exe	schtasks.exe
PID 2012 wrote to memory of 2636	2012	bot.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\96aa210f39830b577164ab716a8290e8.exe
"C:\Users\Admin\AppData\Local\Temp\96aa210f39830b577164ab716a8290e8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.sfx.exe
bot.sfx.exe -p1234 -dC:\Users\Admin\AppData\Roaming
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2636

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.bat
Filesize
30B

MD5
689619f4817bab514f708f639232c9f4

SHA1
8ad2290b4e6ee4c99e6e17bd48712bf93ac93604

SHA256
6dac159a0bf99d488e0fa13cef502ddddeabeb1bf84296cc347e0b6a3d1992e4

SHA512
f46149adb1b5240f2b42ca6fd1013d28e8cb01e5482c30a551d15766f629d9f15be55b850dc292e0dd3e06d39a77b0e1e24ff479355a4e37d1d87e0916f8db3b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\bot.sfx.exe
Filesize
518KB

MD5
d0d645c5a4552f438538b5684dfa0f57

SHA1
cbd14f337d4fa455b0536c4888b74e1ebac10bcf

SHA256
b6bf07d20cb3d141ed0eb77bd88802eabd6faf88ebfa9ed33643392d4a00d5eb

SHA512
4af478743eb471b6f9fc3974aa589d896faea59b2d67149b6971854bb138912f3f7b32f958eab5aeb44b7bcedd70633c1ea3b1948763bdc69a65bd8f30961e9d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\bot.exe
Filesize
502KB

MD5
b3e8392a9a2f8c27511fa4991af247ef

SHA1
e797ade2348a801319e91419536db899ea4bd148

SHA256
b227ed32c1630a5e70259a0e24a2b564276085fdc241491e3b988d3f912075c8

SHA512
6c94246b2d93c5754363c0f1a781a3d5627f9ef7903a10ae8584d3ea077b843fa39c8dbf8373f37abf1e6967e5a19bc71f4ee0f14d898cb85c487158ab02528d

Download Submit
memory/2012-36-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/2012-37-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-38-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/2012-40-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-41-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads