quasar | 376ecc6bbf3db6782f5548c1d58c5c1a72146f684f395fa6e40253db10834546

General

Target

Uni.bat
Size

5.1MB
MD5

23437e2baad94ab4255396007b06b3eb
SHA1

ebd04f77aa36f67a48e855601e31424b4547228d
SHA256

376ecc6bbf3db6782f5548c1d58c5c1a72146f684f395fa6e40253db10834546
SHA512

5d888ba40f8c63a1e8e18f8c152d5ed6aca400455982ee615712dff80ba4fbe719c86c6b7a44227275548cbff75cc23326902b9b2c9c4fa8e9ccb26c89f83589
SSDEEP

24576:bQcksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8V:kSbESV0MFJnGRfrnQwsxZLHC

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:34353

Mutex

25ab9d56-6ef2-47d3-99aa-2142fbcd41fa

Attributes

encryption_key
8E710985199C6BF86CCE90DA92448A36E2F45F51
install_name
XWormV5.6.exe
log_directory
WindowsUPDLogs
reconnect_delay
3000
startup_key
Windows BIOS Update Checker
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral1/memory/2508-62208-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\XWormV5.6.exe	family_quasar
C:\Windows\System32\SubDir\XWormV5.6.exe	family_quasar
behavioral1/memory/2156-62218-0x00000000008D0000-0x0000000000BF4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

x.exeXWormV5.6.exe

pid process

2508 x.exe
2156 XWormV5.6.exe

pid	process
2508	x.exe
2156	XWormV5.6.exe

Drops file in System32 directory 5 IoCs

Processes:

x.exeXWormV5.6.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\XWormV5.6.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir\XWormV5.6.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir	x.exe
File opened for modification	C:\Windows\system32\SubDir\XWormV5.6.exe	XWormV5.6.exe
File opened for modification	C:\Windows\system32\SubDir	XWormV5.6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1880 schtasks.exe
2276 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

x.exeXWormV5.6.exe

description pid process

Token: SeDebugPrivilege 2508 x.exe
Token: SeDebugPrivilege 2156 XWormV5.6.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

XWormV5.6.exe

pid process

2156 XWormV5.6.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

XWormV5.6.exe

pid process

2156 XWormV5.6.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XWormV5.6.exe

pid process

2156 XWormV5.6.exe

pid	process
1880	schtasks.exe
2276	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2508	x.exe
Token: SeDebugPrivilege	2156	XWormV5.6.exe

pid	process
2156	XWormV5.6.exe

pid	process
2156	XWormV5.6.exe

pid	process
2156	XWormV5.6.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exex.exeXWormV5.6.exe

description	pid	process	target process
PID 1960 wrote to memory of 2760	1960	cmd.exe	findstr.exe
PID 1960 wrote to memory of 2760	1960	cmd.exe	findstr.exe
PID 1960 wrote to memory of 2760	1960	cmd.exe	findstr.exe
PID 1960 wrote to memory of 2268	1960	cmd.exe	cscript.exe
PID 1960 wrote to memory of 2268	1960	cmd.exe	cscript.exe
PID 1960 wrote to memory of 2268	1960	cmd.exe	cscript.exe
PID 1960 wrote to memory of 2508	1960	cmd.exe	x.exe
PID 1960 wrote to memory of 2508	1960	cmd.exe	x.exe
PID 1960 wrote to memory of 2508	1960	cmd.exe	x.exe
PID 2508 wrote to memory of 2276	2508	x.exe	schtasks.exe
PID 2508 wrote to memory of 2276	2508	x.exe	schtasks.exe
PID 2508 wrote to memory of 2276	2508	x.exe	schtasks.exe
PID 2508 wrote to memory of 2156	2508	x.exe	XWormV5.6.exe
PID 2508 wrote to memory of 2156	2508	x.exe	XWormV5.6.exe
PID 2508 wrote to memory of 2156	2508	x.exe	XWormV5.6.exe
PID 2156 wrote to memory of 1880	2156	XWormV5.6.exe	schtasks.exe
PID 2156 wrote to memory of 1880	2156	XWormV5.6.exe	schtasks.exe
PID 2156 wrote to memory of 1880	2156	XWormV5.6.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
PID:2760

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows BIOS Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\XWormV5.6.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\SubDir\XWormV5.6.exe
"C:\Windows\system32\SubDir\XWormV5.6.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows BIOS Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\XWormV5.6.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
3c6624e58aff977da05325aad47fc659

SHA1
a31006dfa036915f13fe4729032c04551de70ae1

SHA256
d8f0246c3a3f136dcf198fde7445c03184cc06e922620c51d03f3d7959231a0a

SHA512
759e13d47116141edaf92633ee0ccd902fd212481e76e7d14351ceab40279a7c460a85c62462c6e75eafed57fa58a1b3a1e1e7de0e1377ad81894a5f257b3a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4.3MB

MD5
848c6d6f65ac42b89055971976dfe98f

SHA1
211d463ca045db51309314d4906e2a59ea147453

SHA256
3020c206af299dbc458bc379a1a6d5d3ae8af43ce10a13a94c78d871dc1ce9ca

SHA512
ad3e62693f18a3dcc0ced9bea820246544789f42296b1178b17eeb490e40311487f10fed590f48b6fc7ed0d6f6cc7c585b9a18d8bf4437240fd5310faefc6fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
3.1MB

MD5
a64821e6d15cdc5f778e2d75a843a988

SHA1
653c50d75df7da8035bbbdb45a6744f007846f98

SHA256
c89e271601f509d5ab240913749a9bf28523dce349f13c59e648877d7a80b1b3

SHA512
b29df36bf61c5926bf7fb881e706400f4ac830287a6a1af5102497c474c4664dc9573aa2cc5a55a0a67bf8bc473b0924cc515ed605304e815d95437e6912ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
C:\Windows\System32\SubDir\XWormV5.6.exe
Filesize
2.3MB

MD5
994e67c169b460228e12458fada5f7c4

SHA1
6e45e5e06e3cf5b8b524e7fbf26e0068516ffd0e

SHA256
9ca57822d5ec70cd9d1e53b76c7f150678dde2454e839d237b4a1e44e908fbc9

SHA512
97d89b803c304f3e9bfe42b986d2b6582ed88af788530068a812c9795103a8d9bec100a22f82021085c1a2a09fca1257d14fd3dead1b6e0262da66733701a93c

Download Submit
C:\Windows\System32\SubDir\XWormV5.6.exe
Filesize
2.6MB

MD5
81e1b33745a65bcb39a6af813176cee9

SHA1
fcedeafcea8fd3deb55fee27703ac1264d1a7f00

SHA256
b425a2214a0f05244d1916699419c45d826cd18ef911e1b56caa7872fd691934

SHA512
2ac82223e4a1ab43c059ac9134bcb38293748b3946459798481e56295d76bc5b753ee9a4879127a4f23b1d000a86dbfd30d07d0ffef2fc00e4afd0dde0da11be

Download Submit
memory/2156-62217-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-62221-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2156-62220-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-62219-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2156-62218-0x00000000008D0000-0x0000000000BF4000-memory.dmp

Filesize
3.1MB

Download
memory/2508-62210-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/2508-62216-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-62209-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-62208-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads