quasar | f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354

General

Target

TEST.bat
Size

5.1MB
MD5

b86f4f6866f58f646d089796996d129c
SHA1

a95b2a3ad0457286ef23353b9592755fe276671d
SHA256

f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354
SHA512

7e5cb1bea9974bfc6da599514aa549cf5fffcf82a37bac15259d5f0b4d8f99dd2b2703db9cbb773b861e2c68fc5a0cf31e6a685fa0b4a9d979b6661aa69cb1ae
SSDEEP

24576:gccksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8x:9SbESV0MFJnhVFHVwseHFIR4l1t

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:36305

Mutex

f4720af1-0ef3-414f-b170-e837e2727049

Attributes

encryption_key
52EF528D690A6F47ED9D8BD4A80E69CBE28EDC0A
install_name
Windows.exe
log_directory
Windows Error Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral2/memory/4512-62218-0x0000000000DC0000-0x00000000010E4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

x.exeWindows.exe

pid process

4512 x.exe
4084 Windows.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

692 schtasks.exe
3740 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

x.exeWindows.exe

description pid process

Token: SeDebugPrivilege 4512 x.exe
Token: SeDebugPrivilege 4084 Windows.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows.exe

pid process

4084 Windows.exe

pid	process
4512	x.exe
4084	Windows.exe

pid	process
692	schtasks.exe
3740	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4512	x.exe
Token: SeDebugPrivilege	4084	Windows.exe

pid	process
4084	Windows.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exex.exeWindows.exe

description	pid	process	target process
PID 1440 wrote to memory of 4108	1440	cmd.exe	findstr.exe
PID 1440 wrote to memory of 4108	1440	cmd.exe	findstr.exe
PID 1440 wrote to memory of 3784	1440	cmd.exe	cscript.exe
PID 1440 wrote to memory of 3784	1440	cmd.exe	cscript.exe
PID 1440 wrote to memory of 4512	1440	cmd.exe	x.exe
PID 1440 wrote to memory of 4512	1440	cmd.exe	x.exe
PID 4512 wrote to memory of 692	4512	x.exe	schtasks.exe
PID 4512 wrote to memory of 692	4512	x.exe	schtasks.exe
PID 4512 wrote to memory of 4084	4512	x.exe	Windows.exe
PID 4512 wrote to memory of 4084	4512	x.exe	Windows.exe
PID 4084 wrote to memory of 3740	4084	Windows.exe	schtasks.exe
PID 4084 wrote to memory of 3740	4084	Windows.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TEST.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\TEST.bat"
2⤵
PID:4108

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:692

C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
24760012903e1275d49f1ae18d49a095

SHA1
8f418184131cd00f71cd05f0653ff1acfa0ae2e1

SHA256
9091c7c912ccc3cba3b4da3e4ead57af25f2a74670252578908d1031540c0b97

SHA512
14f4e2898d01ccb2dbb1c4c69868fc4c018657902b1e487cde8455dc4e47cf9226ce5a2730fe90123d82bace0bf5260c053ebdb8e7a9fe437ee0b80002a55941

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4.3MB

MD5
86d323e5f0c8cc803bce65d0ba99864e

SHA1
31ac2d2b336faf9aa911c0371c668923169679ee

SHA256
7c7981c2284f87649282657837c62e812b4a156e88ac2922479e2a24fa223afa

SHA512
24fd1b30b2a7b2e251b6b3283c1becd5a1e2e69b22c780fc034551d5ceb42a88b138237efa565977e265d101eef756bc69972d52552cd1530e34612dee6fc8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
121KB

MD5
de3343e17a8d04e4f6e12e2031b2276f

SHA1
c3364e602197448647b0b37c089cb22533dd24c3

SHA256
48d8f2dc481465124542c16dae2ab68c2d033f6966c4f5ce8b365254ab887cda

SHA512
f081d1c07ad606a449b72a2edb9dcd4107ddec141ee0bf507030c1cf69d82553607302060c279cbf2440fece412f09d5f078a7ce9a0ebb9e3e226f70e58e1d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
256KB

MD5
462956a2495defd5a719c3d3b6fecd0b

SHA1
30f84ed230390c2d2933af393d948de32135c7d1

SHA256
087e7d94b6fa9dec965ee22c77ab83f063f911a2a89f99d15094e03d60dc4d3b

SHA512
b59cf018a8d83f6ec7fa640b94ea8d0e8ae107b9b30b686b7a6ea4fc457e62bc6381a5ed72e78626f3cd9ff55f15bed20935c189788f4ee715ec510052dfa45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe
Filesize
768KB

MD5
09ab8b4f1b150d600f98a038b1021aad

SHA1
2fd618f4dc2df66942f2300a852662f78979dbe5

SHA256
e025a24499dee5dc28ef873c869729cd5115393cae063a78a80f69b5ba07caf6

SHA512
931bf78e671fde8a7dfe777fb46e53b1c65333594aa2f1a8ae9125c9f180eaae838816fc9e409ff72cae7deb626b0f2b711e1233c861148f94775f797b136755

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe
Filesize
1.1MB

MD5
20b34a25583c69cd8346c9dfe856721a

SHA1
682dc6bd8a97e9e7cf904c2ad47e703aac6be7f7

SHA256
1040104360c7cfd5114ea4b82d7f83bc797e711574a116d33328edc22c5d673c

SHA512
7cc0f416d2086ef218ab20a9d7d21c2ea71768356a694340036f29ab0a5b1820c27bc5f1d743e19664cd713be5a76e387b671126d56531b5c920435aad734c87

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe
Filesize
1.5MB

MD5
0b0cc8b722e1f73b32b082308f349530

SHA1
9f451aa2e70f22ca98f8c64833a58b6b4dada0a6

SHA256
7d0ed5e09ed7dd7bdfcd7ba639d4c58c816842f65f85a12e16d2cbfb5f6d3019

SHA512
5c01dc3658b8f0b0d71835d535442bebfe9b158b1d4d0479c747b65df19930705e243cf31d6822d3dae64403cadc52209c6073acb2f48f6ce1a33ffab11c7b68

Download Submit
memory/4084-62227-0x00007FFD8FE20000-0x00007FFD908E1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-62229-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/4084-62230-0x000000001C110000-0x000000001C160000-memory.dmp

Filesize
320KB

Download
memory/4084-62231-0x000000001C220000-0x000000001C2D2000-memory.dmp

Filesize
712KB

Download
memory/4084-62232-0x00007FFD8FE20000-0x00007FFD908E1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-62233-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/4512-62219-0x00007FFD8FE20000-0x00007FFD908E1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-62220-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

Filesize
64KB

Download
memory/4512-62218-0x0000000000DC0000-0x00000000010E4000-memory.dmp

Filesize
3.1MB

Download
memory/4512-62228-0x00007FFD8FE20000-0x00007FFD908E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads