quasar | c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19

General

Target

c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe
Size

3.1MB
MD5

a168c79cb0994efc2f80bd9b6f951e76
SHA1

6481ba3c76ec8b2c29baa40dd2c21a00bb0c031f
SHA256

c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19
SHA512

1b8062baf7d872c3b8d56d538721c6fb04e4851703dda8e38783939f87cfc05e1b27c691303fa8e684081d57abb9f2ccbfd849bc72cda9b9d1a4785ca3604a82
SSDEEP

49152:ovtI22SsaNYfdPBldt698dBcjH631xbRkpoGdpcwJTHHB72eh2NT:ovm22SsaNYfdPBldt6+dBcjH631Uy

Score

10^/10

quasar client spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Client

C2

109.55.109.94:4782

Mutex

9af07297-b3a5-4f50-bb78-b1b9252cfa10

Attributes

encryption_key
AD5756ABD65F0F63A74CD6A753331631B4A27F41
install_name
SubDir.exe
log_directory
Logs
reconnect_delay
3000
startup_key
HealthSystemTray
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2912-0-0x00000000011F0000-0x0000000001514000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\SubDir.exe	family_quasar
C:\Windows\system32\SubDir\SubDir.exe	family_quasar
behavioral1/memory/112-10-0x0000000000B70000-0x0000000000E94000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

SubDir.exe

pid process

112 SubDir.exe

pid	process
112	SubDir.exe

Drops file in System32 directory 5 IoCs

Processes:

c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exeSubDir.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe
File opened for modification	C:\Windows\system32\SubDir\SubDir.exe	SubDir.exe
File opened for modification	C:\Windows\system32\SubDir	SubDir.exe
File created	C:\Windows\system32\SubDir\SubDir.exe	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe
File opened for modification	C:\Windows\system32\SubDir\SubDir.exe	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2888 schtasks.exe
2496 schtasks.exe

pid	process
2888	schtasks.exe
2496	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exeSubDir.exe

description	pid	process
Token: SeDebugPrivilege	2912	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe
Token: SeDebugPrivilege	112	SubDir.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SubDir.exe

pid process

112 SubDir.exe

pid	process
112	SubDir.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exeSubDir.exe

description	pid	process	target process
PID 2912 wrote to memory of 2888	2912	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe	schtasks.exe
PID 2912 wrote to memory of 2888	2912	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe	schtasks.exe
PID 2912 wrote to memory of 2888	2912	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe	schtasks.exe
PID 2912 wrote to memory of 112	2912	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe	SubDir.exe
PID 2912 wrote to memory of 112	2912	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe	SubDir.exe
PID 2912 wrote to memory of 112	2912	c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe	SubDir.exe
PID 112 wrote to memory of 2496	112	SubDir.exe	schtasks.exe
PID 112 wrote to memory of 2496	112	SubDir.exe	schtasks.exe
PID 112 wrote to memory of 2496	112	SubDir.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe
"C:\Users\Admin\AppData\Local\Temp\c328534fe8df97ccd8ff9fec54f6760f2aa9c0af3f4aa49268d83c1bbafcde19.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "HealthSystemTray" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SubDir.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\SubDir\SubDir.exe
"C:\Windows\system32\SubDir\SubDir.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "HealthSystemTray" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SubDir.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\SubDir.exe
Filesize
2.8MB

MD5
e9610fdf5903dcea8425dba45b85fade

SHA1
0d8a6b72fc77b01da3211d3f15c40c5ee1cf5011

SHA256
a213fc829341eef16a613088be84ba89a9340e6f52b04b9e489aa60f19469de8

SHA512
7823d891d50c931b86768ef0e0cd6b59f1fc7dbb0257563870d1e1e337eef24d8246367d5d3fe118219a3c9b28cc31175a3c8fb9bc0417cbe7c1bb1f06c1d219

Download Submit
C:\Windows\system32\SubDir\SubDir.exe
Filesize
2.3MB

MD5
2465c5230ef65b90200a29230216feb2

SHA1
8a47fc65e7529fa774bed874fffa4d4dc25c9824

SHA256
b363248ce5cade1966f6fc9c7797bda6ae16fcf0906191170dc1b4e3b6195ce1

SHA512
03f229145141195bd549a4c53536f9480b3995c69c4e873708790ac918ea0c9575524c3383695814b3c66c32b1324ea502626897eef227527e7aa8539282af73

Download Submit
memory/112-8-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/112-10-0x0000000000B70000-0x0000000000E94000-memory.dmp

Filesize
3.1MB

Download
memory/112-11-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/112-12-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/112-13-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2912-0-0x00000000011F0000-0x0000000001514000-memory.dmp

Filesize
3.1MB

Download
memory/2912-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-2-0x000000001B600000-0x000000001B680000-memory.dmp

Filesize
512KB

Download
memory/2912-9-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads