quasar | 78e61085e07c0c08e8127b12da6c923a5d2e42929d86d84c82826ea43e2a1128

General

Target

Client.exe
Size

3.1MB
MD5

8eec6e82f824e964f6a6ae25f97c2b26
SHA1

dd746bd25682356e5a73d0f447e3d0de6907d33d
SHA256

78e61085e07c0c08e8127b12da6c923a5d2e42929d86d84c82826ea43e2a1128
SHA512

f3d6b88f449ff1532b0177f1cd5e940163101a834f8faba1cd4131c72b56c2c75b98aac6568addc933852e0e59decdf999266dc15b86a330daf74acdeb53774d
SSDEEP

49152:yvht62XlaSFNWPjljiFa2RoUYIU+qXBxHeoGdzTHHB72eh2NT:yvL62XlaSFNWPjljiFXRoUYIJqK

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:45359

Mutex

f8ed2643-0827-4252-bfbe-ca79f67643cb

Attributes

encryption_key
52BB87E2CC96F5243DED8FFD41978ED5C07DF11C
install_name
Steam.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2284-0-0x0000000001120000-0x0000000001444000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe	family_quasar
behavioral1/memory/1008-9-0x0000000000D00000-0x0000000001024000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Steam.exe

pid process

1008 Steam.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1872 schtasks.exe
2540 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client.exeSteam.exe

description pid process

Token: SeDebugPrivilege 2284 Client.exe
Token: SeDebugPrivilege 1008 Steam.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Steam.exe

pid process

1008 Steam.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Steam.exe

pid process

1008 Steam.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Steam.exe

pid process

1008 Steam.exe

pid	process
1008	Steam.exe

pid	process
1872	schtasks.exe
2540	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2284	Client.exe
Token: SeDebugPrivilege	1008	Steam.exe

pid	process
1008	Steam.exe

pid	process
1008	Steam.exe

pid	process
1008	Steam.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Client.exeSteam.exe

description	pid	process	target process
PID 2284 wrote to memory of 1872	2284	Client.exe	schtasks.exe
PID 2284 wrote to memory of 1872	2284	Client.exe	schtasks.exe
PID 2284 wrote to memory of 1872	2284	Client.exe	schtasks.exe
PID 2284 wrote to memory of 1008	2284	Client.exe	Steam.exe
PID 2284 wrote to memory of 1008	2284	Client.exe	Steam.exe
PID 2284 wrote to memory of 1008	2284	Client.exe	Steam.exe
PID 1008 wrote to memory of 2540	1008	Steam.exe	schtasks.exe
PID 1008 wrote to memory of 2540	1008	Steam.exe	schtasks.exe
PID 1008 wrote to memory of 2540	1008	Steam.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1872

C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe
Filesize
3.1MB

MD5
8eec6e82f824e964f6a6ae25f97c2b26

SHA1
dd746bd25682356e5a73d0f447e3d0de6907d33d

SHA256
78e61085e07c0c08e8127b12da6c923a5d2e42929d86d84c82826ea43e2a1128

SHA512
f3d6b88f449ff1532b0177f1cd5e940163101a834f8faba1cd4131c72b56c2c75b98aac6568addc933852e0e59decdf999266dc15b86a330daf74acdeb53774d

Download Submit
memory/1008-8-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/1008-9-0x0000000000D00000-0x0000000001024000-memory.dmp

Filesize
3.1MB

Download
memory/1008-11-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/1008-12-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/1008-13-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/2284-0-0x0000000001120000-0x0000000001444000-memory.dmp

Filesize
3.1MB

Download
memory/2284-1-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-2-0x000000001B490000-0x000000001B510000-memory.dmp

Filesize
512KB

Download
memory/2284-10-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads