quasar | 18ea60cdacb1b050fa03cb12ebf3474f9f452904a9b0ac3a2a49144dc8c9eb88

Analysis

max time kernel
596s
max time network
604s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-03-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sigmasONLY.exe
Size

3.1MB
MD5

d24f638c48fa006d893594e969bc9ebb
SHA1

c2300d048235309feddbb4be494ef9842511b4b2
SHA256

18ea60cdacb1b050fa03cb12ebf3474f9f452904a9b0ac3a2a49144dc8c9eb88
SHA512

0b23d19263722df4d107059065b80b996042d0f35f3e4923ba8fb923ee6928fd7c22bc0badc844a98dcb9231a6e1e458e69dc4fe700e588aec7ba1db7b32abc2
SSDEEP

49152:SvaI22SsaNYfdPBldt698dBcjHqmDJERHNk/OgdoGd9jTHHB72eh2NT:SvX22SsaNYfdPBldt6+dBcjHqmDYS

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

140.238.91.110:36305

Mutex

f4720af1-0ef3-414f-b170-e837e2727049

Attributes

encryption_key
52EF528D690A6F47ED9D8BD4A80E69CBE28EDC0A
install_name
WOS64.exe
log_directory
Windows Error Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5096-0-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

WOS64.exe

pid process

4560 WOS64.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2768 schtasks.exe
856 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sigmasONLY.exeWOS64.exe

description pid process

Token: SeDebugPrivilege 5096 sigmasONLY.exe
Token: SeDebugPrivilege 4560 WOS64.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WOS64.exe

pid process

4560 WOS64.exe

pid	process
4560	WOS64.exe

pid	process
2768	schtasks.exe
856	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	5096	sigmasONLY.exe
Token: SeDebugPrivilege	4560	WOS64.exe

pid	process
4560	WOS64.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

sigmasONLY.exeWOS64.exe

description	pid	process	target process
PID 5096 wrote to memory of 2768	5096	sigmasONLY.exe	schtasks.exe
PID 5096 wrote to memory of 2768	5096	sigmasONLY.exe	schtasks.exe
PID 5096 wrote to memory of 4560	5096	sigmasONLY.exe	WOS64.exe
PID 5096 wrote to memory of 4560	5096	sigmasONLY.exe	WOS64.exe
PID 4560 wrote to memory of 856	4560	WOS64.exe	schtasks.exe
PID 4560 wrote to memory of 856	4560	WOS64.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sigmasONLY.exe
"C:\Users\Admin\AppData\Local\Temp\sigmasONLY.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2768

C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe
"C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe
Filesize
3.1MB

MD5
d24f638c48fa006d893594e969bc9ebb

SHA1
c2300d048235309feddbb4be494ef9842511b4b2

SHA256
18ea60cdacb1b050fa03cb12ebf3474f9f452904a9b0ac3a2a49144dc8c9eb88

SHA512
0b23d19263722df4d107059065b80b996042d0f35f3e4923ba8fb923ee6928fd7c22bc0badc844a98dcb9231a6e1e458e69dc4fe700e588aec7ba1db7b32abc2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\WOS64.exe
Filesize
64KB

MD5
b42cfd1370cf90cf11220238382c9658

SHA1
77414cc3a08845e6d2345b10bae35341664d18b5

SHA256
913000b2159ba5dbe4544498212198e64346d5be1738c8a73daf53858593ea9c

SHA512
cedaecfcc8238f737bbbd85da851194c5cccf8f3a9ec6c55c1704dd0b3d243e22bb28cd1857640341085234ab7354a20f1180cf960afb2e073d06b5979cf6c92

Download Submit
memory/4560-10-0x00007FFB6B310000-0x00007FFB6BDD2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-11-0x000000001BDE0000-0x000000001BDF0000-memory.dmp

Filesize
64KB

Download
memory/4560-12-0x000000001BD50000-0x000000001BDA0000-memory.dmp

Filesize
320KB

Download
memory/4560-13-0x000000001CAA0000-0x000000001CB52000-memory.dmp

Filesize
712KB

Download
memory/4560-14-0x00007FFB6B310000-0x00007FFB6BDD2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-15-0x000000001BDE0000-0x000000001BDF0000-memory.dmp

Filesize
64KB

Download
memory/5096-0-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/5096-1-0x00007FFB6B310000-0x00007FFB6BDD2000-memory.dmp

Filesize
10.8MB

Download
memory/5096-2-0x000000001B320000-0x000000001B330000-memory.dmp

Filesize
64KB

Download
memory/5096-9-0x00007FFB6B310000-0x00007FFB6BDD2000-memory.dmp

Filesize
10.8MB

Download