quasar | 26052a7cbba762383fc09fa567fbe0e4dae8c0f6cd8d1253b656f56cc68fc770

Resubmissions

27/04/2024, 11:25

240427-nje4saaa9x 10

Analysis

max time kernel
59s
max time network
56s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27/04/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CelexV2.exe
Size

3.4MB
MD5

086ecd8c32492885d5776efc72a551cc
SHA1

05c8a9ea60d0012f9c48d1e4c083a7dafb98b776
SHA256

26052a7cbba762383fc09fa567fbe0e4dae8c0f6cd8d1253b656f56cc68fc770
SHA512

facceff510b9a384471c2081126c64e4308ff1eb7b14db6974ce6c7d7fbde004e0d37b6d7eccb525c705249cba40fa1e32fb4be8ef04abaec18132917d589dc6
SSDEEP

49152:vvde821/aQWl8P0lSk3aKA3Z+nYYSr1JBboGdVTHHB72eh2NTcY2b:vvw821/aQWl8P0lSk3DA3Z+nYYSB3x

Score

10^/10

quasar kami spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Kami

ddqqswwzdzrr.3utilities.com:4782

Mutex

9e9aa4ca-d696-4e54-9cbd-83e91918f73c

Attributes

encryption_key
4586CDEAC9B29D84A4925415D110E19EDB8D0A8B
install_name
KamiRat.exe
log_directory
Logs
reconnect_delay
3000
startup_key
KamiRat (deactivate this or it will run a the computer startup)
subdirectory
Kami

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4808-0-0x0000000000E50000-0x00000000011B6000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002ab1b-5.dat	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2988	KamiRat.exe
1952	KamiRat.exe
3168	KamiRat.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Kami	KamiRat.exe
File opened for modification	C:\Windows\system32\Kami	CelexV2.exe
File opened for modification	C:\Windows\system32\Kami	KamiRat.exe
File opened for modification	C:\Windows\system32\Kami\KamiRat.exe	KamiRat.exe
File opened for modification	C:\Windows\system32\Kami	KamiRat.exe
File opened for modification	C:\Windows\system32\Kami\KamiRat.exe	KamiRat.exe
File opened for modification	C:\Windows\system32\Kami\KamiRat.exe	KamiRat.exe
File created	C:\Windows\system32\Kami\KamiRat.exe	CelexV2.exe
File opened for modification	C:\Windows\system32\Kami\KamiRat.exe	CelexV2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4580	schtasks.exe
3128	schtasks.exe
680	schtasks.exe
1012	schtasks.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3536	PING.EXE
4024	PING.EXE
4668	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	CelexV2.exe
Token: SeDebugPrivilege	2988	KamiRat.exe
Token: SeDebugPrivilege	1952	KamiRat.exe
Token: SeDebugPrivilege	2644	CelexV2.exe
Token: SeDebugPrivilege	3168	KamiRat.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2988	KamiRat.exe
1952	KamiRat.exe
3168	KamiRat.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4580	4808	CelexV2.exe	81
PID 4808 wrote to memory of 4580	4808	CelexV2.exe	81
PID 4808 wrote to memory of 2988	4808	CelexV2.exe	83
PID 4808 wrote to memory of 2988	4808	CelexV2.exe	83
PID 2988 wrote to memory of 3128	2988	KamiRat.exe	84
PID 2988 wrote to memory of 3128	2988	KamiRat.exe	84
PID 2988 wrote to memory of 4768	2988	KamiRat.exe	86
PID 2988 wrote to memory of 4768	2988	KamiRat.exe	86
PID 4768 wrote to memory of 4612	4768	cmd.exe	88
PID 4768 wrote to memory of 4612	4768	cmd.exe	88
PID 4768 wrote to memory of 3536	4768	cmd.exe	89
PID 4768 wrote to memory of 3536	4768	cmd.exe	89
PID 4768 wrote to memory of 1952	4768	cmd.exe	92
PID 4768 wrote to memory of 1952	4768	cmd.exe	92
PID 1952 wrote to memory of 680	1952	KamiRat.exe	93
PID 1952 wrote to memory of 680	1952	KamiRat.exe	93
PID 1952 wrote to memory of 3880	1952	KamiRat.exe	98
PID 1952 wrote to memory of 3880	1952	KamiRat.exe	98
PID 3880 wrote to memory of 1604	3880	cmd.exe	100
PID 3880 wrote to memory of 1604	3880	cmd.exe	100
PID 3880 wrote to memory of 4024	3880	cmd.exe	101
PID 3880 wrote to memory of 4024	3880	cmd.exe	101
PID 3880 wrote to memory of 3168	3880	cmd.exe	102
PID 3880 wrote to memory of 3168	3880	cmd.exe	102
PID 3168 wrote to memory of 1012	3168	KamiRat.exe	103
PID 3168 wrote to memory of 1012	3168	KamiRat.exe	103
PID 3168 wrote to memory of 2380	3168	KamiRat.exe	105
PID 3168 wrote to memory of 2380	3168	KamiRat.exe	105
PID 2380 wrote to memory of 1796	2380	cmd.exe	107
PID 2380 wrote to memory of 1796	2380	cmd.exe	107
PID 2380 wrote to memory of 4668	2380	cmd.exe	108
PID 2380 wrote to memory of 4668	2380	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CelexV2.exe
"C:\Users\Admin\AppData\Local\Temp\CelexV2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4580
- C:\Windows\system32\Kami\KamiRat.exe
  "C:\Windows\system32\Kami\KamiRat.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6yE5IPeiFJGr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4612
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:3536
  - - C:\Windows\system32\Kami\KamiRat.exe
      "C:\Windows\system32\Kami\KamiRat.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ZUE7pJAgeAW.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1604
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4024
      - C:\Windows\system32\Kami\KamiRat.exe
        
        "C:\Windows\system32\Kami\KamiRat.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "KamiRat (deactivate this or it will run a the computer startup)" /sc ONLOGON /tr "C:\Windows\system32\Kami\KamiRat.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:1012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O8SEBxO0xxRe.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\CelexV2.exe
"C:\Users\Admin\AppData\Local\Temp\CelexV2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CelexV2.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KamiRat.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ZUE7pJAgeAW.bat

Filesize
195B

MD5
a08fd31c6006098b009aebd647e34760

SHA1
124e163fba19cd27803b0ff19e228bd587c501de

SHA256
131a6a48f441b7e6936121ce44d752961244015ac1ddc9bb189ed973e9bfb7a6

SHA512
78855830aaac610643bbc8db72083c3bfa845089dcb9e30e7b476eb9395d22ae6356928d85fe750f150e6b9da8979458661859d8413c352ce128dfeefee1bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6yE5IPeiFJGr.bat

Filesize
195B

MD5
2d6da53ad7170fc8e6ab1d17c81b96fe

SHA1
99229fbac4edb1fdc6635aeaab8b913eca225979

SHA256
036f35ee715edf898b621766b805ee107ffe65a779f221beef5712f79f6efebd

SHA512
c6e43af1d52139f9daaaef2136f3fbfc542b0334cbd49014d9c5cb448e8c80d5aea85d5ecf3bec5b261e66d9b53db0de5a817ec96fc641eb5c21ab3d62165475

Download Submit
C:\Users\Admin\AppData\Local\Temp\O8SEBxO0xxRe.bat

Filesize
195B

MD5
83cfc02e86141e4b7e41e2eb9cbf3a98

SHA1
3c43403fe9b45f63c893c2df227fa4c7e1e39f02

SHA256
2b756993e44b5afd4e28e574d4d304b6a5654d2bea8f2f282e66cb86ed6d1959

SHA512
a4d57c2e10f6a282bac5a52205b6059da076ad78a227407a3aabe6959e721622173131cf89bf5c0deeea3e0aaccbb81601c2fa1394b38e08afd689efb608936d

Download Submit
C:\Windows\System32\Kami\KamiRat.exe

Filesize
3.4MB

MD5
086ecd8c32492885d5776efc72a551cc

SHA1
05c8a9ea60d0012f9c48d1e4c083a7dafb98b776

SHA256
26052a7cbba762383fc09fa567fbe0e4dae8c0f6cd8d1253b656f56cc68fc770

SHA512
facceff510b9a384471c2081126c64e4308ff1eb7b14db6974ce6c7d7fbde004e0d37b6d7eccb525c705249cba40fa1e32fb4be8ef04abaec18132917d589dc6

Download Submit
memory/1952-23-0x000000001CDC0000-0x000000001D2E8000-memory.dmp

Filesize
5.2MB

Download
memory/2988-9-0x00007FFEAC350000-0x00007FFEACE12000-memory.dmp

Filesize
10.8MB

Download
memory/2988-13-0x000000001B9F0000-0x000000001BAA2000-memory.dmp

Filesize
712KB

Download
memory/2988-18-0x00007FFEAC350000-0x00007FFEACE12000-memory.dmp

Filesize
10.8MB

Download
memory/2988-12-0x000000001B8E0000-0x000000001B930000-memory.dmp

Filesize
320KB

Download
memory/2988-11-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/4808-10-0x00007FFEAC350000-0x00007FFEACE12000-memory.dmp

Filesize
10.8MB

Download
memory/4808-0-0x0000000000E50000-0x00000000011B6000-memory.dmp

Filesize
3.4MB

Download
memory/4808-2-0x000000001BFD0000-0x000000001BFE0000-memory.dmp

Filesize
64KB

Download
memory/4808-1-0x00007FFEAC350000-0x00007FFEACE12000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads