quasar | 565a83aceb2ba15250fd18b5c1b4701cf6d02398a1a47c9ac222341656f9db10

General

Target

WindowsEnabler.bat
Size

5.1MB
MD5

5cf9d59d76f27d6d3cf1c35c34ba3b19
SHA1

58e0ad6ed6697decb0b3cc0ecf053d248f8b60e0
SHA256

565a83aceb2ba15250fd18b5c1b4701cf6d02398a1a47c9ac222341656f9db10
SHA512

4d121b13db7d2a4ee08e87bc952efbf2278c45107c49bf81b2cfd4b5ccf5bcdb9d8382839d588721725f389338e5f71251d36a1f31c02a6e4c0afa92c1b3e433
SSDEEP

24576:EVcksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8K:WSbESV0MFJnucAktSD0kngP+32Oa

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:36305

Mutex

f4720af1-0ef3-414f-b170-e837e2727049

Attributes

encryption_key
52EF528D690A6F47ED9D8BD4A80E69CBE28EDC0A
install_name
WOS64.exe
log_directory
Windows Error Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral1/memory/1564-62218-0x0000000001040000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/2312-62227-0x0000000000A40000-0x0000000000D64000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

x.exeWOS64.exe

pid process

1564 x.exe
2312 WOS64.exe

pid	process
1564	x.exe
2312	WOS64.exe

Drops file in System32 directory 5 IoCs

Processes:

x.exeWOS64.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\WOS64.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir\WOS64.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir	x.exe
File opened for modification	C:\Windows\system32\SubDir\WOS64.exe	WOS64.exe
File opened for modification	C:\Windows\system32\SubDir	WOS64.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2016 schtasks.exe
1984 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

x.exeWOS64.exe

description pid process

Token: SeDebugPrivilege 1564 x.exe
Token: SeDebugPrivilege 2312 WOS64.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WOS64.exe

pid process

2312 WOS64.exe

pid	process
2016	schtasks.exe
1984	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1564	x.exe
Token: SeDebugPrivilege	2312	WOS64.exe

pid	process
2312	WOS64.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exex.exeWOS64.exe

description	pid	process	target process
PID 2208 wrote to memory of 2764	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 2764	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 2764	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 1952	2208	cmd.exe	cscript.exe
PID 2208 wrote to memory of 1952	2208	cmd.exe	cscript.exe
PID 2208 wrote to memory of 1952	2208	cmd.exe	cscript.exe
PID 2208 wrote to memory of 1564	2208	cmd.exe	x.exe
PID 2208 wrote to memory of 1564	2208	cmd.exe	x.exe
PID 2208 wrote to memory of 1564	2208	cmd.exe	x.exe
PID 1564 wrote to memory of 1984	1564	x.exe	schtasks.exe
PID 1564 wrote to memory of 1984	1564	x.exe	schtasks.exe
PID 1564 wrote to memory of 1984	1564	x.exe	schtasks.exe
PID 1564 wrote to memory of 2312	1564	x.exe	WOS64.exe
PID 1564 wrote to memory of 2312	1564	x.exe	WOS64.exe
PID 1564 wrote to memory of 2312	1564	x.exe	WOS64.exe
PID 2312 wrote to memory of 2016	2312	WOS64.exe	schtasks.exe
PID 2312 wrote to memory of 2016	2312	WOS64.exe	schtasks.exe
PID 2312 wrote to memory of 2016	2312	WOS64.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\WindowsEnabler.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\WindowsEnabler.bat"
2⤵
PID:2764

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\WOS64.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\SubDir\WOS64.exe
"C:\Windows\system32\SubDir\WOS64.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\WOS64.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
adbf526e1c7aa7db4afb9160c723c6c9

SHA1
b359707c60760a955845d360cd0595ec19448ee3

SHA256
51123e4dfd33d77588bb6d21d4dd314ecd0b2fcc9c62afc6d06cc2f48fdf8000

SHA512
8dc1d73f7bbd6cb310925333e249c81ca6ad670cea875c7ad578b9961ec782759093d12d1223ecce8faa953f91712a2d5aa5a7af1d515ada022e91ac4bffa466

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4.3MB

MD5
6da36791dc2c0dbcfdf65bac24d5a5a0

SHA1
180cf29d3bad68d91d6f8c28f091e30db1232ff0

SHA256
8f96e670d747fa43e8adfebae4c7f493d9be53b58e25bcd3e8d1b6070c199fda

SHA512
d8f9915046a0a16cc33d6282f311bd27c4dddb4c4dc85e946848946c75ebc90b7fc183b0cba52d12a6e0c11600fec4f0a8c9b8a8f3c841ef5c07ab576dc8a47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
3.1MB

MD5
fd6dccd44a562b3523977f5ce28b5c2e

SHA1
ba4da83a6e0c81303efa2f29b422ee2c1005bba9

SHA256
6455daeb0b40fb0d70b3515e265450bc5eff3a96a72f5bd37de48cadb38b25bd

SHA512
99acfc02e1dc397a2a03bf21718d9f09f84a546cb1ab4658a8d27f4d145b34c2a4b55adff3e99682b855ccaca89cc000aded79b61ee9098863d1c75f16dd89c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
memory/1564-62220-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/1564-62218-0x0000000001040000-0x0000000001364000-memory.dmp

Filesize
3.1MB

Download
memory/1564-62219-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1564-62229-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-62226-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-62227-0x0000000000A40000-0x0000000000D64000-memory.dmp

Filesize
3.1MB

Download
memory/2312-62228-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2312-62230-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-62231-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads