quasar | 376ecc6bbf3db6782f5548c1d58c5c1a72146f684f395fa6e40253db10834546

General

Target

Uni.bat
Size

5.1MB
MD5

23437e2baad94ab4255396007b06b3eb
SHA1

ebd04f77aa36f67a48e855601e31424b4547228d
SHA256

376ecc6bbf3db6782f5548c1d58c5c1a72146f684f395fa6e40253db10834546
SHA512

5d888ba40f8c63a1e8e18f8c152d5ed6aca400455982ee615712dff80ba4fbe719c86c6b7a44227275548cbff75cc23326902b9b2c9c4fa8e9ccb26c89f83589
SSDEEP

24576:bQcksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8V:kSbESV0MFJnGRfrnQwsxZLHC

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:34353

Mutex

25ab9d56-6ef2-47d3-99aa-2142fbcd41fa

Attributes

encryption_key
8E710985199C6BF86CCE90DA92448A36E2F45F51
install_name
XWormV5.6.exe
log_directory
WindowsUPDLogs
reconnect_delay
3000
startup_key
Windows BIOS Update Checker
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral2/memory/4968-62209-0x00000000008D0000-0x0000000000BF4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

x.exeXWormV5.6.exe

pid process

4968 x.exe
3876 XWormV5.6.exe

pid	process
4968	x.exe
3876	XWormV5.6.exe

Drops file in System32 directory 5 IoCs

Processes:

x.exeXWormV5.6.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\XWormV5.6.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir\XWormV5.6.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir	x.exe
File opened for modification	C:\Windows\system32\SubDir\XWormV5.6.exe	XWormV5.6.exe
File opened for modification	C:\Windows\system32\SubDir	XWormV5.6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5056 schtasks.exe
1688 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

x.exeXWormV5.6.exe

description pid process

Token: SeDebugPrivilege 4968 x.exe
Token: SeDebugPrivilege 3876 XWormV5.6.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

XWormV5.6.exe

pid process

3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

XWormV5.6.exe

pid process

3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
3876 XWormV5.6.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XWormV5.6.exe

pid process

3876 XWormV5.6.exe

pid	process
5056	schtasks.exe
1688	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4968	x.exe
Token: SeDebugPrivilege	3876	XWormV5.6.exe

pid	process
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe

pid	process
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe
3876	XWormV5.6.exe

pid	process
3876	XWormV5.6.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exex.exeXWormV5.6.exe

description	pid	process	target process
PID 3312 wrote to memory of 4640	3312	cmd.exe	findstr.exe
PID 3312 wrote to memory of 4640	3312	cmd.exe	findstr.exe
PID 3312 wrote to memory of 4964	3312	cmd.exe	cscript.exe
PID 3312 wrote to memory of 4964	3312	cmd.exe	cscript.exe
PID 3312 wrote to memory of 4968	3312	cmd.exe	x.exe
PID 3312 wrote to memory of 4968	3312	cmd.exe	x.exe
PID 4968 wrote to memory of 5056	4968	x.exe	schtasks.exe
PID 4968 wrote to memory of 5056	4968	x.exe	schtasks.exe
PID 4968 wrote to memory of 3876	4968	x.exe	XWormV5.6.exe
PID 4968 wrote to memory of 3876	4968	x.exe	XWormV5.6.exe
PID 3876 wrote to memory of 1688	3876	XWormV5.6.exe	schtasks.exe
PID 3876 wrote to memory of 1688	3876	XWormV5.6.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
PID:4640

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows BIOS Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\XWormV5.6.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\SubDir\XWormV5.6.exe
"C:\Windows\system32\SubDir\XWormV5.6.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows BIOS Update Checker" /sc ONLOGON /tr "C:\Windows\system32\SubDir\XWormV5.6.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
a16f11638f1aad5f339a5129c0f407cd

SHA1
d8b6055ae08fd9fbdf6efdde25391c9164b88b15

SHA256
63d54bc2b3958b6184f7d9e4d780e276183593a521d60d2f738e71e2d11bae7a

SHA512
243129c71b8486d1279c6211ff8111d697499fbe652d93d4bca011293e2b577b04208e09a363b5b7536c95374a6b546e5a37eaab1f57eaf3209845952eaf3038

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4.3MB

MD5
848c6d6f65ac42b89055971976dfe98f

SHA1
211d463ca045db51309314d4906e2a59ea147453

SHA256
3020c206af299dbc458bc379a1a6d5d3ae8af43ce10a13a94c78d871dc1ce9ca

SHA512
ad3e62693f18a3dcc0ced9bea820246544789f42296b1178b17eeb490e40311487f10fed590f48b6fc7ed0d6f6cc7c585b9a18d8bf4437240fd5310faefc6fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
3.1MB

MD5
a64821e6d15cdc5f778e2d75a843a988

SHA1
653c50d75df7da8035bbbdb45a6744f007846f98

SHA256
c89e271601f509d5ab240913749a9bf28523dce349f13c59e648877d7a80b1b3

SHA512
b29df36bf61c5926bf7fb881e706400f4ac830287a6a1af5102497c474c4664dc9573aa2cc5a55a0a67bf8bc473b0924cc515ed605304e815d95437e6912ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
memory/3876-62224-0x000000001CC40000-0x000000001CC52000-memory.dmp

Filesize
72KB

Download
memory/3876-62219-0x000000001C150000-0x000000001C160000-memory.dmp

Filesize
64KB

Download
memory/3876-62218-0x00007FFCD45A0000-0x00007FFCD5061000-memory.dmp

Filesize
10.8MB

Download
memory/3876-62220-0x000000001CBC0000-0x000000001CC10000-memory.dmp

Filesize
320KB

Download
memory/3876-62221-0x000000001CCD0000-0x000000001CD82000-memory.dmp

Filesize
712KB

Download
memory/3876-62225-0x000000001D7D0000-0x000000001D80C000-memory.dmp

Filesize
240KB

Download
memory/3876-62226-0x00007FFCD45A0000-0x00007FFCD5061000-memory.dmp

Filesize
10.8MB

Download
memory/3876-62227-0x000000001C150000-0x000000001C160000-memory.dmp

Filesize
64KB

Download
memory/4968-62208-0x00007FFCD45A0000-0x00007FFCD5061000-memory.dmp

Filesize
10.8MB

Download
memory/4968-62210-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/4968-62217-0x00007FFCD45A0000-0x00007FFCD5061000-memory.dmp

Filesize
10.8MB

Download
memory/4968-62209-0x00000000008D0000-0x0000000000BF4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads