quasar | f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354

General

Target

TEST.bat
Size

5.1MB
MD5

b86f4f6866f58f646d089796996d129c
SHA1

a95b2a3ad0457286ef23353b9592755fe276671d
SHA256

f4ac97b8dd5a438a715a43b6c2e7d3431f1a2c3e17cf8bc8858027b0f544e354
SHA512

7e5cb1bea9974bfc6da599514aa549cf5fffcf82a37bac15259d5f0b4d8f99dd2b2703db9cbb773b861e2c68fc5a0cf31e6a685fa0b4a9d979b6661aa69cb1ae
SSDEEP

24576:gccksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8x:9SbESV0MFJnhVFHVwseHFIR4l1t

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:36305

Mutex

f4720af1-0ef3-414f-b170-e837e2727049

Attributes

encryption_key
52EF528D690A6F47ED9D8BD4A80E69CBE28EDC0A
install_name
Windows.exe
log_directory
Windows Error Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral2/memory/224-62218-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

x.exeWindows.exe

pid process

224 x.exe
3948 Windows.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2052 schtasks.exe
4008 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

x.exeWindows.exe

description pid process

Token: SeDebugPrivilege 224 x.exe
Token: SeDebugPrivilege 3948 Windows.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows.exe

pid process

3948 Windows.exe

pid	process
224	x.exe
3948	Windows.exe

pid	process
2052	schtasks.exe
4008	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	224	x.exe
Token: SeDebugPrivilege	3948	Windows.exe

pid	process
3948	Windows.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exex.exeWindows.exe

description	pid	process	target process
PID 3088 wrote to memory of 940	3088	cmd.exe	findstr.exe
PID 3088 wrote to memory of 940	3088	cmd.exe	findstr.exe
PID 3088 wrote to memory of 3928	3088	cmd.exe	cscript.exe
PID 3088 wrote to memory of 3928	3088	cmd.exe	cscript.exe
PID 3088 wrote to memory of 224	3088	cmd.exe	x.exe
PID 3088 wrote to memory of 224	3088	cmd.exe	x.exe
PID 224 wrote to memory of 2052	224	x.exe	schtasks.exe
PID 224 wrote to memory of 2052	224	x.exe	schtasks.exe
PID 224 wrote to memory of 3948	224	x.exe	Windows.exe
PID 224 wrote to memory of 3948	224	x.exe	Windows.exe
PID 3948 wrote to memory of 4008	3948	Windows.exe	schtasks.exe
PID 3948 wrote to memory of 4008	3948	Windows.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TEST.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\TEST.bat"
2⤵
PID:940

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2052

C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2284,i,2771196087253062161,8107167670425198948,262144 --variations-seed-version /prefetch:8
1⤵
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
5e7433944b930a5d455e8105cfc50e5b

SHA1
613c4b5cd7c00a48057d0c26ecbc4546257f9369

SHA256
3c37be69c66a6eaa998e84d839ec909d7c063e33bf0f37a148dfb8026c641803

SHA512
08f3a7b8ff5b75aff5dee4cc97d37bff6dc4128a926b90106f788cfeb639ff52f7ab584b0ccd8039d9c164754f8d26e7053ef5d3ec49b0f6f30f86be327a7309

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4.3MB

MD5
86d323e5f0c8cc803bce65d0ba99864e

SHA1
31ac2d2b336faf9aa911c0371c668923169679ee

SHA256
7c7981c2284f87649282657837c62e812b4a156e88ac2922479e2a24fa223afa

SHA512
24fd1b30b2a7b2e251b6b3283c1becd5a1e2e69b22c780fc034551d5ceb42a88b138237efa565977e265d101eef756bc69972d52552cd1530e34612dee6fc8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
2.2MB

MD5
498eb84dc8499352f8712961bf15a94f

SHA1
0399d95f8cc8b837c6f6ae6619824d63e699c7b9

SHA256
43307680a4253b0ed332826b2f992596a6c044e376469fc3dd4343228a51be57

SHA512
f37390e5b4a92fc5873ee71a24b45460cff173a14a5abb66b8df24330e3b8c529df14857da51192ae95eedf0d9f4619ce634082d42053ca2a572d53fc00ecf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
1.4MB

MD5
67de5a5b24807dec57dd0cd79ded623c

SHA1
a62167f108d6796998ba6f03aab4101be212cdc0

SHA256
d3958f7f5d11977f28e50c7607b9de8f7f43303f01fb0f4accee6a6fc9387b0c

SHA512
834090f7a3c85590325f9a55d4328e9548ec2ebdf69972caa083aa37ad85deba948a3f9c5f83b76d1bf29a8864ec776f2d6a7f506b62a6274b43a6e2e10b03f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe
Filesize
3.1MB

MD5
e9a5c47b799b740cb8bf2db11b85ad91

SHA1
301612438c71f38418f874bd8c58bdc0ff93e5df

SHA256
59ac2857047d0c8778e5658757fd17b39ecfe0ee34fd50aad70a8a1acde9a4ff

SHA512
c6781f1196171cb79d9cdd6f104f39bb63bef5c8113770c714fb8b78c33785c695f0b8d407b86a237048c2d8ad90de9f2e3845224c624fdb96b00e86704cddd8

Download Submit
memory/224-62219-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmp

Filesize
10.8MB

Download
memory/224-62220-0x000000001B280000-0x000000001B290000-memory.dmp

Filesize
64KB

Download
memory/224-62218-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/224-62228-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmp

Filesize
10.8MB

Download
memory/3948-62227-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmp

Filesize
10.8MB

Download
memory/3948-62229-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/3948-62230-0x000000001BB60000-0x000000001BBB0000-memory.dmp

Filesize
320KB

Download
memory/3948-62231-0x000000001C3D0000-0x000000001C482000-memory.dmp

Filesize
712KB

Download
memory/3948-62232-0x00007FF8E9CC0000-0x00007FF8EA781000-memory.dmp

Filesize
10.8MB

Download
memory/3948-62233-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads