quasar | 9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af

General

Target

schvine.exe
Size

3.1MB
MD5

77c7750e215b1a45430ebeecc5973d14
SHA1

5bdcb97d5b0f6520d03f76fd6879c092da44b2fe
SHA256

9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af
SHA512

954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e
SSDEEP

49152:Dvkt62XlaSFNWPjljiFa2RoUYIBVuh9LoGdRdTHHB72eh2NT:Dv462XlaSFNWPjljiFXRoUYIBVuh1

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:38035

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2308-0-0x0000000000A40000-0x0000000000D64000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

UpdateHost.exe

pid process

2720 UpdateHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1852 schtasks.exe
2800 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3376 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

schvine.exeUpdateHost.exe

description pid process

Token: SeDebugPrivilege 2308 schvine.exe
Token: SeDebugPrivilege 2720 UpdateHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UpdateHost.exe

pid process

2720 UpdateHost.exe

pid	process
2720	UpdateHost.exe

pid	process
1852	schtasks.exe
2800	schtasks.exe

pid	process
3376	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2308	schvine.exe
Token: SeDebugPrivilege	2720	UpdateHost.exe

pid	process
2720	UpdateHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

schvine.exeUpdateHost.execmd.exe

description	pid	process	target process
PID 2308 wrote to memory of 1852	2308	schvine.exe	schtasks.exe
PID 2308 wrote to memory of 1852	2308	schvine.exe	schtasks.exe
PID 2308 wrote to memory of 2720	2308	schvine.exe	UpdateHost.exe
PID 2308 wrote to memory of 2720	2308	schvine.exe	UpdateHost.exe
PID 2720 wrote to memory of 2800	2720	UpdateHost.exe	schtasks.exe
PID 2720 wrote to memory of 2800	2720	UpdateHost.exe	schtasks.exe
PID 2720 wrote to memory of 3268	2720	UpdateHost.exe	schtasks.exe
PID 2720 wrote to memory of 3268	2720	UpdateHost.exe	schtasks.exe
PID 2720 wrote to memory of 3248	2720	UpdateHost.exe	cmd.exe
PID 2720 wrote to memory of 3248	2720	UpdateHost.exe	cmd.exe
PID 3248 wrote to memory of 240	3248	cmd.exe	chcp.com
PID 3248 wrote to memory of 240	3248	cmd.exe	chcp.com
PID 3248 wrote to memory of 3376	3248	cmd.exe	PING.EXE
PID 3248 wrote to memory of 3376	3248	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\schvine.exe
"C:\Users\Admin\AppData\Local\Temp\schvine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1852

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WOS64" /f
3⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgbzoyWpMo6.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:240

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MkgbzoyWpMo6.bat
Filesize
216B

MD5
00f0a01531752f53fa070f9ec5c1addc

SHA1
68ab89adada1f39e20c5f699b8d30e8513afebd9

SHA256
2e5e0101e6311af79e39b06c86202aa2b652a9f709b1b2ded6729aeb97dd63b8

SHA512
672ef5c5224cba70618ac2a73e22cf5c105acf05f4f745ac51e31a6d75c1acc0989188b0ee5c41f37a52fc84f7ebead2e71c6818653ddfcb392eb09338297157

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
3.1MB

MD5
77c7750e215b1a45430ebeecc5973d14

SHA1
5bdcb97d5b0f6520d03f76fd6879c092da44b2fe

SHA256
9aa555e008f1af5330fc5362a4f024115185c896a8409d55559442b5d2a439af

SHA512
954bb9f6a52bd5ff4924fdeae991440e7b6ad51aba000be8fe1100ed44616fba87bb9ba3feda0376e82e68990fcc21063f3a7c5a29e0d3c17bf1676c1cc3ff1e

Download Submit
memory/2308-0-0x0000000000A40000-0x0000000000D64000-memory.dmp

Filesize
3.1MB

Download
memory/2308-1-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmp

Filesize
10.8MB

Download
memory/2308-2-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/2308-9-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmp

Filesize
10.8MB

Download
memory/2720-11-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

Filesize
64KB

Download
memory/2720-12-0x000000001C400000-0x000000001C450000-memory.dmp

Filesize
320KB

Download
memory/2720-13-0x000000001C510000-0x000000001C5C2000-memory.dmp

Filesize
712KB

Download
memory/2720-16-0x000000001C4A0000-0x000000001C4B2000-memory.dmp

Filesize
72KB

Download
memory/2720-17-0x000000001D120000-0x000000001D15C000-memory.dmp

Filesize
240KB

Download
memory/2720-18-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmp

Filesize
10.8MB

Download
memory/2720-19-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

Filesize
64KB

Download
memory/2720-24-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmp

Filesize
10.8MB

Download
memory/2720-10-0x00007FFCAABF0000-0x00007FFCAB6B2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads