quasar | fa281523c8726d55023091c15321edca91ad7e480d0b0bb1f381e94861a84383

General

Target

Client-built.exe
Size

3.1MB
MD5

fbf8bf1a542094f980a0ebadf0cd0331
SHA1

d92f0eb94e1d7bccf4e3512ed61d769720d425d7
SHA256

fa281523c8726d55023091c15321edca91ad7e480d0b0bb1f381e94861a84383
SHA512

7107265fc94a19abaf05b09c28c4c3482add48d863f30b3d3b9bda096968f9923e8a28ef8f63b7f709e6d0ef45a564fb841ebd59df421f1cb0b13f7ff3179290
SSDEEP

49152:Wvkt62XlaSFNWPjljiFa2RoUYIYCF1JaLoGdTTHHB72eh2NT:Wv462XlaSFNWPjljiFXRoUYIYC2

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:39077

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3088-0-0x0000000000D20000-0x0000000001044000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

UpdateHost.exe

pid process

420 UpdateHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4988 schtasks.exe
4168 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1848 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exeUpdateHost.exe

description pid process

Token: SeDebugPrivilege 3088 Client-built.exe
Token: SeDebugPrivilege 420 UpdateHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UpdateHost.exe

pid process

420 UpdateHost.exe

pid	process
420	UpdateHost.exe

pid	process
4988	schtasks.exe
4168	schtasks.exe

pid	process
1848	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3088	Client-built.exe
Token: SeDebugPrivilege	420	UpdateHost.exe

pid	process
420	UpdateHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Client-built.exeUpdateHost.execmd.exe

description	pid	process	target process
PID 3088 wrote to memory of 4988	3088	Client-built.exe	schtasks.exe
PID 3088 wrote to memory of 4988	3088	Client-built.exe	schtasks.exe
PID 3088 wrote to memory of 420	3088	Client-built.exe	UpdateHost.exe
PID 3088 wrote to memory of 420	3088	Client-built.exe	UpdateHost.exe
PID 420 wrote to memory of 4168	420	UpdateHost.exe	schtasks.exe
PID 420 wrote to memory of 4168	420	UpdateHost.exe	schtasks.exe
PID 420 wrote to memory of 1936	420	UpdateHost.exe	schtasks.exe
PID 420 wrote to memory of 1936	420	UpdateHost.exe	schtasks.exe
PID 420 wrote to memory of 1908	420	UpdateHost.exe	cmd.exe
PID 420 wrote to memory of 1908	420	UpdateHost.exe	cmd.exe
PID 1908 wrote to memory of 5116	1908	cmd.exe	chcp.com
PID 1908 wrote to memory of 5116	1908	cmd.exe	chcp.com
PID 1908 wrote to memory of 1848	1908	cmd.exe	PING.EXE
PID 1908 wrote to memory of 1848	1908	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4988

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4168

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WOS64" /f
3⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eg5cdkBpNxfl.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:5116

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eg5cdkBpNxfl.bat
Filesize
216B

MD5
5c7dc76e5a90fe57b343fa02acba4194

SHA1
ace0f25c2959720450c4c9283cd89cc96832b3d9

SHA256
cd7deca4a2aa10934727e0e7bdc567034a96abf61f619da234fbeeace1cc9e2d

SHA512
81b32d33a2b8a1db67c395025aff8ae5aa552410494f5adef2dd3061e82f7ea292ce69ab45d9b2371b8e91be38c87a6cb2adb82e3029048d12a421ed9220611b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
3.1MB

MD5
fbf8bf1a542094f980a0ebadf0cd0331

SHA1
d92f0eb94e1d7bccf4e3512ed61d769720d425d7

SHA256
fa281523c8726d55023091c15321edca91ad7e480d0b0bb1f381e94861a84383

SHA512
7107265fc94a19abaf05b09c28c4c3482add48d863f30b3d3b9bda096968f9923e8a28ef8f63b7f709e6d0ef45a564fb841ebd59df421f1cb0b13f7ff3179290

Download Submit
memory/420-11-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/420-9-0x00007FFD23C90000-0x00007FFD24752000-memory.dmp

Filesize
10.8MB

Download
memory/420-12-0x000000001BAD0000-0x000000001BB20000-memory.dmp

Filesize
320KB

Download
memory/420-13-0x000000001BBE0000-0x000000001BC92000-memory.dmp

Filesize
712KB

Download
memory/420-16-0x000000001BB40000-0x000000001BB52000-memory.dmp

Filesize
72KB

Download
memory/420-17-0x000000001BBA0000-0x000000001BBDC000-memory.dmp

Filesize
240KB

Download
memory/420-18-0x00007FFD23C90000-0x00007FFD24752000-memory.dmp

Filesize
10.8MB

Download
memory/420-19-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/420-24-0x00007FFD23C90000-0x00007FFD24752000-memory.dmp

Filesize
10.8MB

Download
memory/3088-2-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/3088-10-0x00007FFD23C90000-0x00007FFD24752000-memory.dmp

Filesize
10.8MB

Download
memory/3088-0-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/3088-1-0x00007FFD23C90000-0x00007FFD24752000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads