quasar | 9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af

General

Target

schvine.exe
Size

3.1MB
MD5

77c7750e215b1a45430ebeecc5973d14
SHA1

5bdcb97d5b0f6520d03f76fd6879c092da44b2fe
SHA256

9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
SHA512

954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
SSDEEP

49152:Dvkt62XlaSFNWPjljiFa2RoUYIBVuh9LoGdRdTHHB72eh2NT:Dv462XlaSFNWPjljiFXRoUYIBVuh1

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:38035

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4440-0-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UpdateHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe

Executes dropped EXE 1 IoCs

Processes:

UpdateHost.exe

pid process

2208 UpdateHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3440 schtasks.exe
3020 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1132 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

schvine.exeUpdateHost.exe

description pid process

Token: SeDebugPrivilege 4440 schvine.exe
Token: SeDebugPrivilege 2208 UpdateHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UpdateHost.exe

pid process

2208 UpdateHost.exe

pid	process
2208	UpdateHost.exe

pid	process
3440	schtasks.exe
3020	schtasks.exe

pid	process
1132	PING.EXE

description	pid	process
Token: SeDebugPrivilege	4440	schvine.exe
Token: SeDebugPrivilege	2208	UpdateHost.exe

pid	process
2208	UpdateHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

schvine.exeUpdateHost.execmd.exe

description	pid	process	target process
PID 4440 wrote to memory of 3440	4440	schvine.exe	schtasks.exe
PID 4440 wrote to memory of 3440	4440	schvine.exe	schtasks.exe
PID 4440 wrote to memory of 2208	4440	schvine.exe	UpdateHost.exe
PID 4440 wrote to memory of 2208	4440	schvine.exe	UpdateHost.exe
PID 2208 wrote to memory of 3020	2208	UpdateHost.exe	schtasks.exe
PID 2208 wrote to memory of 3020	2208	UpdateHost.exe	schtasks.exe
PID 2208 wrote to memory of 4352	2208	UpdateHost.exe	schtasks.exe
PID 2208 wrote to memory of 4352	2208	UpdateHost.exe	schtasks.exe
PID 2208 wrote to memory of 4940	2208	UpdateHost.exe	cmd.exe
PID 2208 wrote to memory of 4940	2208	UpdateHost.exe	cmd.exe
PID 4940 wrote to memory of 4312	4940	cmd.exe	chcp.com
PID 4940 wrote to memory of 4312	4940	cmd.exe	chcp.com
PID 4940 wrote to memory of 1132	4940	cmd.exe	PING.EXE
PID 4940 wrote to memory of 1132	4940	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\schvine.exe
"C:\Users\Admin\AppData\Local\Temp\schvine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3440

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3020

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WOS64" /f
3⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eNAlgOS4dD5n.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4312

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eNAlgOS4dD5n.bat
Filesize
216B

MD5
ffc319e6314536c71ebfdf66bf0e6dfc

SHA1
eaacad8de54aae0c2eab60f6ed8525bc65ba44b2

SHA256
a7954dbdf9a66c364c9ebbff810471401d992fcef5d1facc8da6d9d70ce49212

SHA512
5d09a7970464f3556cddd6f579c78450b6fa6d17451603da868b2df9f1585a357679bae184a1bf3a27bb222ad0d9fd97adc35da3bc64fde69d7802ce5e9a20cb

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
3.1MB

MD5
77c7750e215b1a45430ebeecc5973d14

SHA1
5bdcb97d5b0f6520d03f76fd6879c092da44b2fe

SHA256
9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af

SHA512
954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e

Download Submit
memory/2208-11-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/2208-10-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmp

Filesize
10.8MB

Download
memory/2208-12-0x0000000003450000-0x00000000034A0000-memory.dmp

Filesize
320KB

Download
memory/2208-13-0x000000001C580000-0x000000001C632000-memory.dmp

Filesize
712KB

Download
memory/2208-17-0x000000001CD80000-0x000000001CDBC000-memory.dmp

Filesize
240KB

Download
memory/2208-16-0x000000001C4F0000-0x000000001C502000-memory.dmp

Filesize
72KB

Download
memory/2208-18-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmp

Filesize
10.8MB

Download
memory/2208-23-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmp

Filesize
10.8MB

Download
memory/4440-2-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download
memory/4440-9-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmp

Filesize
10.8MB

Download
memory/4440-0-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/4440-1-0x00007FFB1F3C0000-0x00007FFB1FE81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads