quasar | 424882a2484f8bacc7b3ffa79082ffe1d0f6b074fd2bb2b42b6b724a56332308

Analysis

max time kernel
95s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

errr.exe
Size

3.1MB
MD5

ef7a21c06d5bde1ef0979fb8948fb7f7
SHA1

b5f5467ec426b7c68ba6586feea8652023948020
SHA256

424882a2484f8bacc7b3ffa79082ffe1d0f6b074fd2bb2b42b6b724a56332308
SHA512

4c42a031f83a966a61eb0e630cf6600965a6f9366d25704493101405705718c9e5d4b4df8caec5791f5500da0c87c6c74000583cc124dabc4bd8b214666bcf3a
SSDEEP

49152:hvUI22SsaNYfdPBldt698dBcjHFzR160bR3toGdoTHHB72eh2NT:hvZ22SsaNYfdPBldt6+dBcjHFzR16o

Score

10^/10

quasar shiba spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

steel-repairs.gl.at.ply.gg:62743

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes

encryption_key
A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7
install_name
$sxr-insta.exe
log_directory
$sxr-logs
reconnect_delay
1000
startup_key
$sxr-mstha
subdirectory
$sxr-start

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1872-1-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023424-6.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe

Executes dropped EXE 1 IoCs

pid	Process
2068	$sxr-insta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3728	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	errr.exe
Token: SeDebugPrivilege	2068	$sxr-insta.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	$sxr-insta.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2068	1872	errr.exe	87
PID 1872 wrote to memory of 2068	1872	errr.exe	87
PID 2068 wrote to memory of 3012	2068	$sxr-insta.exe	92
PID 2068 wrote to memory of 3012	2068	$sxr-insta.exe	92
PID 3012 wrote to memory of 3088	3012	cmd.exe	94
PID 3012 wrote to memory of 3088	3012	cmd.exe	94
PID 3012 wrote to memory of 3728	3012	cmd.exe	95
PID 3012 wrote to memory of 3728	3012	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\errr.exe
"C:\Users\Admin\AppData\Local\Temp\errr.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
  "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emZvKvXndWr1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3088
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\emZvKvXndWr1.bat

Filesize
219B

MD5
32e4a723486c7c3fa80ca095173491ea

SHA1
6685f40d80ae99a4ea5fd9ecb2390671d8a953d0

SHA256
277e3b7a64d1bea07aaf0f4bca6c64bb061aad5c3436c44392f934c7f9ff942e

SHA512
21f738da4847237102903ea5dfdc5635369814855494f16a9d7beabee6178a843047b1345b6f39636fcb8e0d2f7193ce08b71aab1c8f859e881789246798c3a7

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe

Filesize
3.1MB

MD5
ef7a21c06d5bde1ef0979fb8948fb7f7

SHA1
b5f5467ec426b7c68ba6586feea8652023948020

SHA256
424882a2484f8bacc7b3ffa79082ffe1d0f6b074fd2bb2b42b6b724a56332308

SHA512
4c42a031f83a966a61eb0e630cf6600965a6f9366d25704493101405705718c9e5d4b4df8caec5791f5500da0c87c6c74000583cc124dabc4bd8b214666bcf3a

Download Submit
memory/1872-0-0x00007FFA2B193000-0x00007FFA2B195000-memory.dmp

Filesize
8KB

Download
memory/1872-1-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/1872-2-0x00007FFA2B190000-0x00007FFA2BC51000-memory.dmp

Filesize
10.8MB

Download
memory/1872-9-0x00007FFA2B190000-0x00007FFA2BC51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-11-0x00007FFA2B190000-0x00007FFA2BC51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-12-0x000000001CCA0000-0x000000001CCF0000-memory.dmp

Filesize
320KB

Download
memory/2068-13-0x000000001CDB0000-0x000000001CE62000-memory.dmp

Filesize
712KB

Download
memory/2068-14-0x000000001CCF0000-0x000000001CD02000-memory.dmp

Filesize
72KB

Download
memory/2068-15-0x000000001CD50000-0x000000001CD8C000-memory.dmp

Filesize
240KB

Download
memory/2068-16-0x00007FFA2B190000-0x00007FFA2BC51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-21-0x00007FFA2B190000-0x00007FFA2BC51000-memory.dmp

Filesize
10.8MB

Download
memory/2068-10-0x00007FFA2B190000-0x00007FFA2BC51000-memory.dmp

Filesize
10.8MB

Download