quasar | f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354

General

Target

TEST.bat
Size

5.1MB
MD5

b86f4f6866f58f646d089796996d129c
SHA1

a95b2a3ad0457286ef23353b9592755fe276671d
SHA256

f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354
SHA512

7e5cb1bea9974bfc6da599514aa549cf5fffcf82a37bac15259d5f0b4d8f99dd2b2703db9cbb773b861e2c68fc5a0cf31e6a685fa0b4a9d979b6661aa69cb1ae
SSDEEP

24576:gccksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8x:9SbESV0MFJnhVFHVwseHFIR4l1t

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:36305

Mutex

f4720af1-0ef3-414f-b170-e837e2727049

Attributes

encryption_key
52EF528D690A6F47ED9D8BD4A80E69CBE28EDC0A
install_name
Windows.exe
log_directory
Windows Error Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral1/memory/2112-62218-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/2624-62227-0x0000000000BB0000-0x0000000000ED4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

x.exeWindows.exe

pid process

2112 x.exe
2624 Windows.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2628 schtasks.exe
1440 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

x.exeWindows.exe

description pid process

Token: SeDebugPrivilege 2112 x.exe
Token: SeDebugPrivilege 2624 Windows.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows.exe

pid process

2624 Windows.exe

pid	process
2112	x.exe
2624	Windows.exe

pid	process
2628	schtasks.exe
1440	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2112	x.exe
Token: SeDebugPrivilege	2624	Windows.exe

pid	process
2624	Windows.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exex.exeWindows.exe

description	pid	process	target process
PID 1924 wrote to memory of 2424	1924	cmd.exe	findstr.exe
PID 1924 wrote to memory of 2424	1924	cmd.exe	findstr.exe
PID 1924 wrote to memory of 2424	1924	cmd.exe	findstr.exe
PID 1924 wrote to memory of 2464	1924	cmd.exe	cscript.exe
PID 1924 wrote to memory of 2464	1924	cmd.exe	cscript.exe
PID 1924 wrote to memory of 2464	1924	cmd.exe	cscript.exe
PID 1924 wrote to memory of 2112	1924	cmd.exe	x.exe
PID 1924 wrote to memory of 2112	1924	cmd.exe	x.exe
PID 1924 wrote to memory of 2112	1924	cmd.exe	x.exe
PID 2112 wrote to memory of 2628	2112	x.exe	schtasks.exe
PID 2112 wrote to memory of 2628	2112	x.exe	schtasks.exe
PID 2112 wrote to memory of 2628	2112	x.exe	schtasks.exe
PID 2112 wrote to memory of 2624	2112	x.exe	Windows.exe
PID 2112 wrote to memory of 2624	2112	x.exe	Windows.exe
PID 2112 wrote to memory of 2624	2112	x.exe	Windows.exe
PID 2624 wrote to memory of 1440	2624	Windows.exe	schtasks.exe
PID 2624 wrote to memory of 1440	2624	Windows.exe	schtasks.exe
PID 2624 wrote to memory of 1440	2624	Windows.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TEST.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\TEST.bat"
2⤵
PID:2424

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2628

C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x
Filesize
1KB

MD5
6684670c1a8cf5cea5ee0f54c44816f5

SHA1
85be8f0962bf83ce5d027f15dfba9410945f8729

SHA256
f5ef4d4f4c2816b8e815b35abc52357cb0f6a65dca5705a7b97e7beeb14ea83b

SHA512
304dff79e4f0db43022e476075107e06f12a5cfc3762b1835b03e35cebc1e822581d86ba4eb14f4140f541396690d7f1c0f9ef198c74e1b7d1e40bca21638173

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
5e7433944b930a5d455e8105cfc50e5b

SHA1
613c4b5cd7c00a48057d0c26ecbc4546257f9369

SHA256
3c37be69c66a6eaa998e84d839ec909d7c063e33bf0f37a148dfb8026c641803

SHA512
08f3a7b8ff5b75aff5dee4cc97d37bff6dc4128a926b90106f788cfeb639ff52f7ab584b0ccd8039d9c164754f8d26e7053ef5d3ec49b0f6f30f86be327a7309

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4.3MB

MD5
86d323e5f0c8cc803bce65d0ba99864e

SHA1
31ac2d2b336faf9aa911c0371c668923169679ee

SHA256
7c7981c2284f87649282657837c62e812b4a156e88ac2922479e2a24fa223afa

SHA512
24fd1b30b2a7b2e251b6b3283c1becd5a1e2e69b22c780fc034551d5ceb42a88b138237efa565977e265d101eef756bc69972d52552cd1530e34612dee6fc8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
3.1MB

MD5
e9a5c47b799b740cb8bf2db11b85ad91

SHA1
301612438c71f38418f874bd8c58bdc0ff93e5df

SHA256
59ac2857047d0c8778e5658757fd17b39ecfe0ee34fd50aad70a8a1acde9a4ff

SHA512
c6781f1196171cb79d9cdd6f104f39bb63bef5c8113770c714fb8b78c33785c695f0b8d407b86a237048c2d8ad90de9f2e3845224c624fdb96b00e86704cddd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
memory/2112-62219-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-62218-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/2112-62220-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/2112-62228-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-62226-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-62227-0x0000000000BB0000-0x0000000000ED4000-memory.dmp

Filesize
3.1MB

Download
memory/2624-62229-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2624-62230-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-62231-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads