quasar | 5ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d

General

Target

R0X-Built.exe
Size

409KB
MD5

baed4bf822391e30e4dbe2ae0ea3fcfe
SHA1

d978134771b65bace600644691b4d30c893920e8
SHA256

5ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d
SHA512

b428424cfe003421a7c0a5d21a06709e80ee35d8c0f0501be19d8250fad27c72fcd98b9290510de0dc1147915751383a2908f075592eb4f2b8258e090cf2c452
SSDEEP

6144:OMS2pJAJcC0B6ezDDORUjySfNr3FHg60x4gQRbcdVsmAklsGEUGka9mC:jpyJcC+VzDDORm1rUQyiklFEUGka9mC

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

centre-clan.gl.at.ply.gg:40354

Mutex

$Sxr-HfroCBO1JCip2IbHKX

Attributes

encryption_key
2mXe0Epj621bYEM4YYhW
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-mstha
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2476-1-0x0000000000E00000-0x0000000000E6C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe	family_quasar
behavioral1/memory/2512-10-0x0000000000BE0000-0x0000000000C4C000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

$srr-powershell.exe

pid process

2512 $srr-powershell.exe
Loads dropped DLL 1 IoCs

Processes:

R0X-Built.exe

pid process

2476 R0X-Built.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeSCHTASKS.exeSCHTASKS.exe

pid process

2596 schtasks.exe
2156 schtasks.exe
2392 SCHTASKS.exe
1236 SCHTASKS.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2128 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

R0X-Built.exe$srr-powershell.exe

description pid process

Token: SeDebugPrivilege 2476 R0X-Built.exe
Token: SeDebugPrivilege 2512 $srr-powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$srr-powershell.exe

pid process

2512 $srr-powershell.exe

pid	process
2512	$srr-powershell.exe

pid	process
2476	R0X-Built.exe

flow	ioc
2	ip-api.com

pid	process
2596	schtasks.exe
2156	schtasks.exe
2392	SCHTASKS.exe
1236	SCHTASKS.exe

pid	process
2128	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2476	R0X-Built.exe
Token: SeDebugPrivilege	2512	$srr-powershell.exe

pid	process
2512	$srr-powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

R0X-Built.exe$srr-powershell.execmd.exe

description	pid	process	target process
PID 2476 wrote to memory of 2596	2476	R0X-Built.exe	schtasks.exe
PID 2476 wrote to memory of 2596	2476	R0X-Built.exe	schtasks.exe
PID 2476 wrote to memory of 2596	2476	R0X-Built.exe	schtasks.exe
PID 2476 wrote to memory of 2596	2476	R0X-Built.exe	schtasks.exe
PID 2476 wrote to memory of 2512	2476	R0X-Built.exe	$srr-powershell.exe
PID 2476 wrote to memory of 2512	2476	R0X-Built.exe	$srr-powershell.exe
PID 2476 wrote to memory of 2512	2476	R0X-Built.exe	$srr-powershell.exe
PID 2476 wrote to memory of 2512	2476	R0X-Built.exe	$srr-powershell.exe
PID 2512 wrote to memory of 2156	2512	$srr-powershell.exe	schtasks.exe
PID 2512 wrote to memory of 2156	2512	$srr-powershell.exe	schtasks.exe
PID 2512 wrote to memory of 2156	2512	$srr-powershell.exe	schtasks.exe
PID 2512 wrote to memory of 2156	2512	$srr-powershell.exe	schtasks.exe
PID 2476 wrote to memory of 2392	2476	R0X-Built.exe	SCHTASKS.exe
PID 2476 wrote to memory of 2392	2476	R0X-Built.exe	SCHTASKS.exe
PID 2476 wrote to memory of 2392	2476	R0X-Built.exe	SCHTASKS.exe
PID 2476 wrote to memory of 2392	2476	R0X-Built.exe	SCHTASKS.exe
PID 2512 wrote to memory of 2568	2512	$srr-powershell.exe	schtasks.exe
PID 2512 wrote to memory of 2568	2512	$srr-powershell.exe	schtasks.exe
PID 2512 wrote to memory of 2568	2512	$srr-powershell.exe	schtasks.exe
PID 2512 wrote to memory of 2568	2512	$srr-powershell.exe	schtasks.exe
PID 2512 wrote to memory of 1684	2512	$srr-powershell.exe	cmd.exe
PID 2512 wrote to memory of 1684	2512	$srr-powershell.exe	cmd.exe
PID 2512 wrote to memory of 1684	2512	$srr-powershell.exe	cmd.exe
PID 2512 wrote to memory of 1684	2512	$srr-powershell.exe	cmd.exe
PID 1684 wrote to memory of 2800	1684	cmd.exe	chcp.com
PID 1684 wrote to memory of 2800	1684	cmd.exe	chcp.com
PID 1684 wrote to memory of 2800	1684	cmd.exe	chcp.com
PID 1684 wrote to memory of 2800	1684	cmd.exe	chcp.com
PID 1684 wrote to memory of 2128	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 2128	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 2128	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 2128	1684	cmd.exe	PING.EXE
PID 2512 wrote to memory of 1236	2512	$srr-powershell.exe	SCHTASKS.exe
PID 2512 wrote to memory of 1236	2512	$srr-powershell.exe	SCHTASKS.exe
PID 2512 wrote to memory of 1236	2512	$srr-powershell.exe	SCHTASKS.exe
PID 2512 wrote to memory of 1236	2512	$srr-powershell.exe	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe
"C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2596

C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2156

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "$srr-mstha" /f
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYXcnGaS3Y1h.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2800

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2128

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77$srr-powershell.exe" /tr "'C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1236

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77R0X-Built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IYXcnGaS3Y1h.bat
Filesize
272B

MD5
4e7fa1774ee2ddb2a32c7ce51ddc1ac6

SHA1
687650695c5e5483c03d1781a42553fd4b7fc40a

SHA256
a86e272425bb20e8e36b064b9b541451ce9cb297b880902abd42149bb9e7fcbb

SHA512
c257d339ae89db41479cbf26027d9127bcbad445f8aadf266e19963e26084253d22fbc2b0b8cb2628cd285bbe8068e5c753ace827650762cdff3864ff1e065b4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-04-~1
Filesize
224B

MD5
753d6eea5cd2f383f5e70aeeeafae7da

SHA1
974854be63dab08d6a3ec1321cfe3e8701256fe9

SHA256
eabe90f555c3e371709077cb4b1c0fc4abd7dbc9c6e5666ef55b9b4a9341275e

SHA512
ac6f75bdadc7bace977569d2bb1d3da0f67a0f525aee121b7a720e08a2e9057f8cdbc143eefe60ea13da8bb6b0d591da632cc43ae5811fcea06374a91c5ed474

Download Submit
\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
Filesize
409KB

MD5
baed4bf822391e30e4dbe2ae0ea3fcfe

SHA1
d978134771b65bace600644691b4d30c893920e8

SHA256
5ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d

SHA512
b428424cfe003421a7c0a5d21a06709e80ee35d8c0f0501be19d8250fad27c72fcd98b9290510de0dc1147915751383a2908f075592eb4f2b8258e090cf2c452

Download Submit
memory/2476-14-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-1-0x0000000000E00000-0x0000000000E6C000-memory.dmp

Filesize
432KB

Download
memory/2476-2-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/2512-12-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-15-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-16-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-11-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-26-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-10-0x0000000000BE0000-0x0000000000C4C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads