quasar | 7655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b

Analysis

max time kernel
127s
max time network
137s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 19:23

Target

1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Size

348KB
MD5

1423a4be112f647fe95730150a842627
SHA1

ad705962c70d6d74afc7f69051c809240c1dc7d3
SHA256

7655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b
SHA512

0df8a840711259c5026d20c069e45a996aa92e821ac870d0ae66760617e31ce5feecbdf3b03a16f3945b13df1279c1902c9a46c498b0b235217e127e49157cb0
SSDEEP

6144:b+NHXf500MwDjCTHYr1b8i4YunbL/zMoXDme:6d50sjGoP4YunHAoXDme

Score

10^/10

Family

quasar

Version

1.3.0.0

Botnet

Slave

134.209.192.40:4782

Mutex

QSR_MUTEX_k8JOK9yrF6X0eZEc1V

Attributes

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-1-0x0000000001120000-0x000000000117E000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral1/memory/2648-9-0x0000000000F70000-0x0000000000FCE000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2648 Client.exe
Loads dropped DLL 1 IoCs

Processes:

1423a4be112f647fe95730150a842627_JaffaCakes118.exe

pid process

2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1423a4be112f647fe95730150a842627_JaffaCakes118.exeClient.exe

description pid process

Token: SeDebugPrivilege 2740 1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Token: SeDebugPrivilege 2648 Client.exe

pid	process
2648	Client.exe

pid	process
2740	1423a4be112f647fe95730150a842627_JaffaCakes118.exe

flow	ioc
2	ip-api.com

description	pid	process
Token: SeDebugPrivilege	2740	1423a4be112f647fe95730150a842627_JaffaCakes118.exe
Token: SeDebugPrivilege	2648	Client.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1423a4be112f647fe95730150a842627_JaffaCakes118.exe

description	pid	process	target process
PID 2740 wrote to memory of 2648	2740	1423a4be112f647fe95730150a842627_JaffaCakes118.exe	Client.exe
PID 2740 wrote to memory of 2648	2740	1423a4be112f647fe95730150a842627_JaffaCakes118.exe	Client.exe
PID 2740 wrote to memory of 2648	2740	1423a4be112f647fe95730150a842627_JaffaCakes118.exe	Client.exe
PID 2740 wrote to memory of 2648	2740	1423a4be112f647fe95730150a842627_JaffaCakes118.exe	Client.exe

\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
348KB

MD5
1423a4be112f647fe95730150a842627

SHA1
ad705962c70d6d74afc7f69051c809240c1dc7d3

SHA256
7655e16003aa8856e7585f5d4b76d39f9e56b784442c9523d9f0b7b9c85b714b

SHA512
0df8a840711259c5026d20c069e45a996aa92e821ac870d0ae66760617e31ce5feecbdf3b03a16f3945b13df1279c1902c9a46c498b0b235217e127e49157cb0

Download Submit
memory/2648-9-0x0000000000F70000-0x0000000000FCE000-memory.dmp

Filesize
376KB

Download
memory/2648-11-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-10-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-13-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-0-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2740-1-0x0000000001120000-0x000000000117E000-memory.dmp

Filesize
376KB

Download
memory/2740-2-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-12-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download