quasar | fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413

General

Target

fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe
Size

3.1MB
MD5

f1dd84b637552358cfc4b9dda1dc04f7
SHA1

118d8a8f4df0bd95303c977f2fa2883dbd8f4222
SHA256

fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413
SHA512

ff54ac3d296fa0907a073922b19067c942b398290c86d7b2b176f5d15c49b6486348499ac5f121aef8e5bb9ecbd1c4c6d00320528ac6b82701ccec64cf91f5da
SSDEEP

49152:GvUt62XlaSFNWPjljiFa2RoUYI5zbvsBx3AoGdkTHHB72eh2NT:GvI62XlaSFNWPjljiFXRoUYI5fvr

Score

10^/10

quasar krampus.gg spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Krampus.gg

C2

10.0.0.76:4782

Mutex

b2297f47-c39d-4f55-91d6-74d9f38e9fd1

Attributes

encryption_key
21407C13DE42FCCADE77E86119A8CD11B5DCC515
install_name
Krampus.gg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-1-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe	family_quasar
behavioral1/memory/2548-8-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-1-0x0000000000DF0000-0x0000000001114000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2548-8-0x0000000001220000-0x0000000001544000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-1-0x0000000000DF0000-0x0000000001114000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2548-8-0x0000000001220000-0x0000000001544000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-1-0x0000000000DF0000-0x0000000001114000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2548-8-0x0000000001220000-0x0000000001544000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Executes dropped EXE 1 IoCs

Processes:

Krampus.gg.exe

pid process

2548 Krampus.gg.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2192 schtasks.exe
2672 schtasks.exe

pid	process
2548	Krampus.gg.exe

pid	process
2192	schtasks.exe
2672	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exeKrampus.gg.exe

description	pid	process
Token: SeDebugPrivilege	2348	fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe
Token: SeDebugPrivilege	2548	Krampus.gg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Krampus.gg.exe

pid process

2548 Krampus.gg.exe

pid	process
2548	Krampus.gg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exeKrampus.gg.exe

description	pid	process	target process
PID 2348 wrote to memory of 2192	2348	fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe	schtasks.exe
PID 2348 wrote to memory of 2192	2348	fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe	schtasks.exe
PID 2348 wrote to memory of 2192	2348	fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe	schtasks.exe
PID 2348 wrote to memory of 2548	2348	fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe	Krampus.gg.exe
PID 2348 wrote to memory of 2548	2348	fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe	Krampus.gg.exe
PID 2348 wrote to memory of 2548	2348	fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe	Krampus.gg.exe
PID 2548 wrote to memory of 2672	2548	Krampus.gg.exe	schtasks.exe
PID 2548 wrote to memory of 2672	2548	Krampus.gg.exe	schtasks.exe
PID 2548 wrote to memory of 2672	2548	Krampus.gg.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe
"C:\Users\Admin\AppData\Local\Temp\fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2192

C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Krampus.gg.exe

Filesize
3.1MB

MD5
f1dd84b637552358cfc4b9dda1dc04f7

SHA1
118d8a8f4df0bd95303c977f2fa2883dbd8f4222

SHA256
fc3e553270ca9ee914c8b813393d3a2a659a2a18e51b6a730036348bc4cae413

SHA512
ff54ac3d296fa0907a073922b19067c942b398290c86d7b2b176f5d15c49b6486348499ac5f121aef8e5bb9ecbd1c4c6d00320528ac6b82701ccec64cf91f5da

Download Submit
memory/2348-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/2348-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-11-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-9-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-8-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download
memory/2548-10-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-12-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads