quasar | 9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af

General

Target

schvine.exe
Size

3.1MB
MD5

77c7750e215b1a45430ebeecc5973d14
SHA1

5bdcb97d5b0f6520d03f76fd6879c092da44b2fe
SHA256

9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
SHA512

954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
SSDEEP

49152:Dvkt62XlaSFNWPjljiFa2RoUYIBVuh9LoGdRdTHHB72eh2NT:Dv462XlaSFNWPjljiFXRoUYIBVuh1

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:38035

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3692-0-0x0000000000640000-0x0000000000964000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

UpdateHost.exe

pid process

4916 UpdateHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4356 schtasks.exe
4696 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1868 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

schvine.exeUpdateHost.exe

description pid process

Token: SeDebugPrivilege 3692 schvine.exe
Token: SeDebugPrivilege 4916 UpdateHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UpdateHost.exe

pid process

4916 UpdateHost.exe

pid	process
4916	UpdateHost.exe

pid	process
4356	schtasks.exe
4696	schtasks.exe

pid	process
1868	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3692	schvine.exe
Token: SeDebugPrivilege	4916	UpdateHost.exe

pid	process
4916	UpdateHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

schvine.exeUpdateHost.execmd.exe

description	pid	process	target process
PID 3692 wrote to memory of 4356	3692	schvine.exe	schtasks.exe
PID 3692 wrote to memory of 4356	3692	schvine.exe	schtasks.exe
PID 3692 wrote to memory of 4916	3692	schvine.exe	UpdateHost.exe
PID 3692 wrote to memory of 4916	3692	schvine.exe	UpdateHost.exe
PID 4916 wrote to memory of 4696	4916	UpdateHost.exe	schtasks.exe
PID 4916 wrote to memory of 4696	4916	UpdateHost.exe	schtasks.exe
PID 4916 wrote to memory of 2992	4916	UpdateHost.exe	schtasks.exe
PID 4916 wrote to memory of 2992	4916	UpdateHost.exe	schtasks.exe
PID 4916 wrote to memory of 520	4916	UpdateHost.exe	cmd.exe
PID 4916 wrote to memory of 520	4916	UpdateHost.exe	cmd.exe
PID 520 wrote to memory of 2932	520	cmd.exe	chcp.com
PID 520 wrote to memory of 2932	520	cmd.exe	chcp.com
PID 520 wrote to memory of 1868	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 1868	520	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\schvine.exe
"C:\Users\Admin\AppData\Local\Temp\schvine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4356

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WOS64" /f
3⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZLyzMrWjUif9.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZLyzMrWjUif9.bat
Filesize
216B

MD5
173696b3f94ef587b2f64986ebcec601

SHA1
2b40616b1dd8927989e730bbfc03ee8ff0cf609c

SHA256
574d7eb43d9d85f9ae765206eeb9f50157090bd8c130c036c537f88603a5aa1b

SHA512
49c078ae4c5fb6329118b6c6f06b55498c611c6c3651491af0284a3e5b09e761a48eae25c16d6f5ba2f2a94e6739c6cdd17085c6fa236d4890809160f871b7a9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
3.1MB

MD5
77c7750e215b1a45430ebeecc5973d14

SHA1
5bdcb97d5b0f6520d03f76fd6879c092da44b2fe

SHA256
9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af

SHA512
954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e

Download Submit
memory/3692-0-0x0000000000640000-0x0000000000964000-memory.dmp

Filesize
3.1MB

Download
memory/3692-1-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download
memory/3692-2-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

Filesize
64KB

Download
memory/3692-9-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download
memory/4916-11-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

Filesize
64KB

Download
memory/4916-12-0x000000001BC90000-0x000000001BCE0000-memory.dmp

Filesize
320KB

Download
memory/4916-13-0x000000001C640000-0x000000001C6F2000-memory.dmp

Filesize
712KB

Download
memory/4916-16-0x000000001BE20000-0x000000001BE32000-memory.dmp

Filesize
72KB

Download
memory/4916-17-0x000000001C580000-0x000000001C5BE000-memory.dmp

Filesize
248KB

Download
memory/4916-18-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download
memory/4916-19-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

Filesize
64KB

Download
memory/4916-24-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download
memory/4916-10-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads