quasar | df11dd094952f12ea053085c7a7801326a58dc2ce42570b35b2fec98a7801808

General

Target

Client-built.exe
Size

3.1MB
MD5

5b2ccc8a8d94dde2f51b8311e2548255
SHA1

22edf1e9abd6902e1c9b424a548b6d52df20ae22
SHA256

df11dd094952f12ea053085c7a7801326a58dc2ce42570b35b2fec98a7801808
SHA512

78c8c5d54be2926744351846723903da6e51d517b70f1aac7312a6f29ce64663eb39db905a343a5ddef235c26d093c3e97bbd21abc27ebdf1bc4de257bb4a861
SSDEEP

49152:DvRuf2NUaNmwzPWlvdaKM7ZxTwUsEdGWBeLLoBdLTHHB72eh2NT:Dvsf2NUaNmwzPWlvdaB7ZxTwUlGl

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:38899

uk2.localto.net:38899:38899

Mutex

276d9dc6-b19c-4958-8ac3-89586bd3b515

Attributes

encryption_key
ABCF70C37D1A79A01712038122D1532DF20DF72A
install_name
Client.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4572-0-0x0000000000670000-0x0000000000994000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\Client.exe	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 4 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exe

pid process

4852 Client.exe
3128 Client.exe
2660 Client.exe
5088 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5080 schtasks.exe
1508 schtasks.exe
3584 schtasks.exe
2604 schtasks.exe
3436 schtasks.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

5052 PING.EXE
1812 PING.EXE
3388 PING.EXE

pid	process
4852	Client.exe
3128	Client.exe
2660	Client.exe
5088	Client.exe

pid	process
5080	schtasks.exe
1508	schtasks.exe
3584	schtasks.exe
2604	schtasks.exe
3436	schtasks.exe

pid	process
5052	PING.EXE
1812	PING.EXE
3388	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4572	Client-built.exe
Token: SeDebugPrivilege	4852	Client.exe
Token: SeDebugPrivilege	3128	Client.exe
Token: SeDebugPrivilege	2660	Client.exe
Token: SeDebugPrivilege	5088	Client.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exe

pid process

4852 Client.exe
3128 Client.exe
2660 Client.exe
5088 Client.exe

pid	process
4852	Client.exe
3128	Client.exe
2660	Client.exe
5088	Client.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.exe

description	pid	process	target process
PID 4572 wrote to memory of 3584	4572	Client-built.exe	schtasks.exe
PID 4572 wrote to memory of 3584	4572	Client-built.exe	schtasks.exe
PID 4572 wrote to memory of 4852	4572	Client-built.exe	Client.exe
PID 4572 wrote to memory of 4852	4572	Client-built.exe	Client.exe
PID 4852 wrote to memory of 2604	4852	Client.exe	schtasks.exe
PID 4852 wrote to memory of 2604	4852	Client.exe	schtasks.exe
PID 4852 wrote to memory of 2240	4852	Client.exe	cmd.exe
PID 4852 wrote to memory of 2240	4852	Client.exe	cmd.exe
PID 2240 wrote to memory of 4088	2240	cmd.exe	chcp.com
PID 2240 wrote to memory of 4088	2240	cmd.exe	chcp.com
PID 2240 wrote to memory of 5052	2240	cmd.exe	PING.EXE
PID 2240 wrote to memory of 5052	2240	cmd.exe	PING.EXE
PID 2240 wrote to memory of 3128	2240	cmd.exe	Client.exe
PID 2240 wrote to memory of 3128	2240	cmd.exe	Client.exe
PID 3128 wrote to memory of 3436	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 3436	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 3428	3128	Client.exe	cmd.exe
PID 3128 wrote to memory of 3428	3128	Client.exe	cmd.exe
PID 3428 wrote to memory of 1572	3428	cmd.exe	chcp.com
PID 3428 wrote to memory of 1572	3428	cmd.exe	chcp.com
PID 3428 wrote to memory of 1812	3428	cmd.exe	PING.EXE
PID 3428 wrote to memory of 1812	3428	cmd.exe	PING.EXE
PID 3428 wrote to memory of 2660	3428	cmd.exe	Client.exe
PID 3428 wrote to memory of 2660	3428	cmd.exe	Client.exe
PID 2660 wrote to memory of 5080	2660	Client.exe	schtasks.exe
PID 2660 wrote to memory of 5080	2660	Client.exe	schtasks.exe
PID 2660 wrote to memory of 232	2660	Client.exe	cmd.exe
PID 2660 wrote to memory of 232	2660	Client.exe	cmd.exe
PID 232 wrote to memory of 4796	232	cmd.exe	chcp.com
PID 232 wrote to memory of 4796	232	cmd.exe	chcp.com
PID 232 wrote to memory of 3388	232	cmd.exe	PING.EXE
PID 232 wrote to memory of 3388	232	cmd.exe	PING.EXE
PID 232 wrote to memory of 5088	232	cmd.exe	Client.exe
PID 232 wrote to memory of 5088	232	cmd.exe	Client.exe
PID 5088 wrote to memory of 1508	5088	Client.exe	schtasks.exe
PID 5088 wrote to memory of 1508	5088	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3584

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r6q5aHjkOvlD.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4088

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:5052

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ju1a3sA5LKzP.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1812

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cqo9oFGxzilL.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4796

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3388

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cqo9oFGxzilL.bat
Filesize
208B

MD5
a4cd2cec7327db2807dc61018dadcb1e

SHA1
7dcb71abc97891959cd8b2e853ff5c73e5154558

SHA256
2be9e602bfac9f98ad821358b0a2b937822663a2ac03e6a0ac698c93715f012e

SHA512
7759864e6fdf04d1906cc4a3adb215a94d5a67aaeb2486b61b87c348337c97fe619a95998a893ef68b67ce3acb5d1c129d7fb7d31a15910a5b1df29313eef5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ju1a3sA5LKzP.bat
Filesize
208B

MD5
7bb1546b1060788d8580ab441d701f30

SHA1
e80bff918ee3a9d4b1080c66b34696d0d9a3d099

SHA256
6c2db1ada9fdae986a3e6b86d8b66b4773a42975bf37be658204d25de3384775

SHA512
0dd04dbf96c541ce336d9000462ff719166e1188c38d2992dd9ff02b47f191d3d4389e914e3eb2477e9513fde068470925761aec2a24fab2bd880f004bd74092

Download Submit
C:\Users\Admin\AppData\Local\Temp\r6q5aHjkOvlD.bat
Filesize
208B

MD5
a6a959f46ac98f39b32a3a4566784dbe

SHA1
261aa8267466913a458ba187088a5d2b73bc736c

SHA256
c5add205ce6e0c09a491d1b0cf447003d0f7c3f13d24919d5e25850b4c0a9b45

SHA512
c36072c8aa7e55d16dab5dc720017cfe8f56145f740e26f02a4be8634447c1c2e0ed42bb75e10574e3c8e6c31bf8f8196705e1eb4951e6375f09fdac1c7aada8

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Client.exe
Filesize
3.1MB

MD5
5b2ccc8a8d94dde2f51b8311e2548255

SHA1
22edf1e9abd6902e1c9b424a548b6d52df20ae22

SHA256
df11dd094952f12ea053085c7a7801326a58dc2ce42570b35b2fec98a7801808

SHA512
78c8c5d54be2926744351846723903da6e51d517b70f1aac7312a6f29ce64663eb39db905a343a5ddef235c26d093c3e97bbd21abc27ebdf1bc4de257bb4a861

Download Submit
memory/2660-29-0x00007FF842010000-0x00007FF842AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2660-35-0x00007FF842010000-0x00007FF842AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2660-30-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/3128-21-0x00007FF842010000-0x00007FF842AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-26-0x00007FF842010000-0x00007FF842AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-22-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/4572-10-0x00007FF841DC0000-0x00007FF842881000-memory.dmp

Filesize
10.8MB

Download
memory/4572-2-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/4572-0-0x0000000000670000-0x0000000000994000-memory.dmp

Filesize
3.1MB

Download
memory/4572-1-0x00007FF841DC0000-0x00007FF842881000-memory.dmp

Filesize
10.8MB

Download
memory/4852-9-0x00007FF841DC0000-0x00007FF842881000-memory.dmp

Filesize
10.8MB

Download
memory/4852-11-0x000000001BB20000-0x000000001BB70000-memory.dmp

Filesize
320KB

Download
memory/4852-17-0x00007FF841DC0000-0x00007FF842881000-memory.dmp

Filesize
10.8MB

Download
memory/4852-12-0x000000001BC30000-0x000000001BCE2000-memory.dmp

Filesize
712KB

Download
memory/5088-37-0x00007FF8421D0000-0x00007FF842C91000-memory.dmp

Filesize
10.8MB

Download
memory/5088-38-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads