quasar | a155e28e5517fc85bf006ee991a1aab8f595a0aaeb05b0ee4fd38cdbc8f6ca52

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-03-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware.bat
Size

5.1MB
MD5

9a7d8e4dd1ba4265ef75c22265b9fbb8
SHA1

fcd5b59e6ed52b1e2efeb3e68c7c4bc3f93945d5
SHA256

a155e28e5517fc85bf006ee991a1aab8f595a0aaeb05b0ee4fd38cdbc8f6ca52
SHA512

ee1c93dbb18f40e589b1914dd416dc0f96b9279b71e3f048eccaba5efad7430a72178fa87234ac70757099628c33a27f234ad7f3cd3854de3fd6d59c67d17fd6
SSDEEP

24576:SpcksZhAsxYu9bEUt4Qa1CFQa5Z4tp5ljbjvGr2BBgfretKRxMp+hrQB0eJM2a8d:MSbESV0MFJnCjsYvVxxx

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

140.238.91.110:36039

Mutex

df49f69a-66a2-4b6e-bb60-18c12b5b14df

Attributes

encryption_key
6A1671418BB270D703D501AB8E9B41E8D413B6D3
install_name
Client.exe
log_directory
Win64ErrorLogs
reconnect_delay
3000
startup_key
Windows Boot Menu
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral1/memory/2656-62218-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2796-62228-0x0000000000840000-0x0000000000B64000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

x.exeClient.exe

pid process

2656 x.exe
2796 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2128 schtasks.exe
2696 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

x.exeClient.exe

description pid process

Token: SeDebugPrivilege 2656 x.exe
Token: SeDebugPrivilege 2796 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2796 Client.exe

pid	process
2656	x.exe
2796	Client.exe

pid	process
2128	schtasks.exe
2696	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2656	x.exe
Token: SeDebugPrivilege	2796	Client.exe

pid	process
2796	Client.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exex.exeClient.exe

description	pid	process	target process
PID 2620 wrote to memory of 2724	2620	cmd.exe	findstr.exe
PID 2620 wrote to memory of 2724	2620	cmd.exe	findstr.exe
PID 2620 wrote to memory of 2724	2620	cmd.exe	findstr.exe
PID 2620 wrote to memory of 1656	2620	cmd.exe	cscript.exe
PID 2620 wrote to memory of 1656	2620	cmd.exe	cscript.exe
PID 2620 wrote to memory of 1656	2620	cmd.exe	cscript.exe
PID 2620 wrote to memory of 2656	2620	cmd.exe	x.exe
PID 2620 wrote to memory of 2656	2620	cmd.exe	x.exe
PID 2620 wrote to memory of 2656	2620	cmd.exe	x.exe
PID 2656 wrote to memory of 2128	2656	x.exe	schtasks.exe
PID 2656 wrote to memory of 2128	2656	x.exe	schtasks.exe
PID 2656 wrote to memory of 2128	2656	x.exe	schtasks.exe
PID 2656 wrote to memory of 2796	2656	x.exe	Client.exe
PID 2656 wrote to memory of 2796	2656	x.exe	Client.exe
PID 2656 wrote to memory of 2796	2656	x.exe	Client.exe
PID 2796 wrote to memory of 2696	2796	Client.exe	schtasks.exe
PID 2796 wrote to memory of 2696	2796	Client.exe	schtasks.exe
PID 2796 wrote to memory of 2696	2796	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Malware.bat"
2⤵
PID:2724

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2128

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x
Filesize
1KB

MD5
887da7a91254c6b048aeee103349e4ad

SHA1
c7a3c3aa6004ac68186e4517e2290691238c6a82

SHA256
5faec935fb44a8dcd721616eb77d6e4c04fb2ee2eac9ec95eb5c260ba024e758

SHA512
1a6f79339892a5660930e2131ddd413d2d3430aaa9034cfbbc53ea8a872797e510f3f84a52b5149851ed7e67dc0b1273e78824023313889397902cc234d48e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
455a61cc4a314ee0a161afeeb892127a

SHA1
39cd3580251ba1ea61ca235cf34b906d6cd06a10

SHA256
5e1ce5ab4179522e60cfdf3e10b2740bd2dd634ec05701218f6000ee407ab269

SHA512
e5c6197beef87942b5ea5b9afb71751a9a8ce5efedb5b59f6b778de856454cd9a83ffbdfe94bbd2c7b8ac8391514dd0b10b5b08c7bda37bf961885b88e1693d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4.3MB

MD5
8f5db2a9a611c27329ceb18fe4be4b7c

SHA1
9ebde9eeb11fdd7abbff994b2e618fb5788b195a

SHA256
ed7bb1b3674576e85aade62061e5b7f92815a40cd794d5c1695b41c38f7ac418

SHA512
21160048814f77862f9024246e9e9e039e0ff97a2e4c2848c8ed148f76ed57490f0ea0c60a0fd9a6b697737960de845ce5e83454608de02a4a1d5d6e34052449

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
1KB

MD5
d5108ed7cecef1fff3f24d80a9f21a44

SHA1
d36cd08f4377b52f76db5c79dddf2b053f17503d

SHA256
1d7ab3e26d52dd5059113b1a7455645562abed46658ad602e9d1f5bbee20a26c

SHA512
605271ebc302c62ec6846fb02cbf6187a9a2f0b724bd01c70433a6f131a7086d4fd45ea7ba7c1522de87842afdbe784006f1ba9cbd72c43317c91c3b248184f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
3.1MB

MD5
561d2b135a6200ef094b222eb47af87a

SHA1
4db2f2254cae3695a0ffa7ccdc13097db254cd8c

SHA256
c458feb66832df6a0c361d951c60bcda34c4f5c82652d25c5e4a1aa4c41d8d94

SHA512
6bd32a9099968b13150a16ee919684e319a67a55dc436fb36157901528e5ccf0283daecdafd07876186f00af13a3bba170a6328926156578a2c06455772b0094

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
1.9MB

MD5
747a68f6cef67f1d32e2c8bd1a104c76

SHA1
d147744f083d8d3313edc2d8ced15da47e9063ef

SHA256
59bb040d456946901ae7d0840b37d743f81eddf5aaa57a66e50b3df0b66aae10

SHA512
91ad965e0ffbdba42781c651e3de4a76e17913f629e4468ab238c1dfd7c2bcbfc532a3705dc1d923aa48acd4c60023d0d54df85fbf1bc3b25f805309cf53599b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
2.3MB

MD5
3fbd2a79e95b10f865e478a05354f4af

SHA1
7b3dcc1689b528b7c1755372fdf22235ff5f3de4

SHA256
20872dd4464c6f5b55a8ecac6426ec8cc99e169586279f2f301e70ac3b0e9729

SHA512
ec54aad88cfb9910b0019086f7af4228a19f43cc2a491ffce089a74eaafc6870a4aad53850fe1f92c09d27d1906009144d8f01567916969e8a616d0ab3fd3c26

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
2.0MB

MD5
a21cd9591853e3ccdd66285b46e49272

SHA1
d599a0b40cfb25169a6ebc4364d19e210f17532b

SHA256
fd031c87b239241400d41ed5d018f84573fff600918f0cd4efc1c753ef65002c

SHA512
10e293bf9f700df3a60da549e8113ac16ad4fdf12bbbbad0178a3167806a9cf09801ab560e9a70c1aa411dd9d7f6ce1e3b7c1fdbaa414c2f2bfe1f4bf5732c01

Download Submit
memory/2656-62220-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2656-62219-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-62227-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-62218-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/2796-62226-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-62228-0x0000000000840000-0x0000000000B64000-memory.dmp

Filesize
3.1MB

Download
memory/2796-62229-0x000000001B320000-0x000000001B3A0000-memory.dmp

Filesize
512KB

Download
memory/2796-62230-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-62231-0x000000001B320000-0x000000001B3A0000-memory.dmp

Filesize
512KB

Download