quasar | 82c4ebbea3a1cf61cb81196e865149b679df63dacaceef1e1242ce9b855aedf7

Analysis

max time kernel
1795s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynV2.exe
Size

3.1MB
MD5

007e5cb679d162307ae1e97aae6b60bb
SHA1

a03429b7d5bf4fbe507863f110782b17b3de98ef
SHA256

82c4ebbea3a1cf61cb81196e865149b679df63dacaceef1e1242ce9b855aedf7
SHA512

eb2298577149e34238475eee4329ac031efe4433ca8d3b9951bc1914c52e633a8c4b1034c4ff9b6f79364250cede584b25d9c13556f4fe35ec6be5ac0661a2c0
SSDEEP

49152:pvjt62XlaSFNWPjljiFa2RoUYI204lhhgvJ6EoGdxsTHHB72eh2NT:pvx62XlaSFNWPjljiFXRoUYIchm

Score

10^/10

quasar shiba spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

sites-mood.gl.at.ply.gg:50107

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes

encryption_key
A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7
install_name
$sxr-insta.exe
log_directory
$sxr-logs
reconnect_delay
1000
startup_key
$sxr-mstha
subdirectory
$sxr-start

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2676-1-0x0000000000430000-0x0000000000754000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SynV2.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation SynV2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1776 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SynV2.exe

description pid process

Token: SeDebugPrivilege 2676 SynV2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	SynV2.exe

pid	process
1776	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2676	SynV2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SynV2.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 2180	2676	SynV2.exe	cmd.exe
PID 2676 wrote to memory of 2180	2676	SynV2.exe	cmd.exe
PID 2180 wrote to memory of 1004	2180	cmd.exe	chcp.com
PID 2180 wrote to memory of 1004	2180	cmd.exe	chcp.com
PID 2180 wrote to memory of 1776	2180	cmd.exe	PING.EXE
PID 2180 wrote to memory of 1776	2180	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\SynV2.exe
"C:\Users\Admin\AppData\Local\Temp\SynV2.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGs2hryDveiN.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1004

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3912,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CGs2hryDveiN.bat

Filesize
206B

MD5
19e6b2a5f6a56d4f14b8f05b8a0c5cdd

SHA1
430e5a4ebdba7031409c5b8471809e9fd88f3d2d

SHA256
487a644a7b99d18776085113f8efb6b2e4d5cd7245822a8f61c37272502da46d

SHA512
b38c8ebbc3127f9a5a9737d2579427142412b556828e3f4efe3dfadde78f0e478868a7b262260f933d10bc86b47bcc6990b63ecffa9a4746809c9531d24e60f0

Download Submit
memory/2676-0-0x00007FFCC2C33000-0x00007FFCC2C35000-memory.dmp

Filesize
8KB

Download
memory/2676-1-0x0000000000430000-0x0000000000754000-memory.dmp

Filesize
3.1MB

Download
memory/2676-2-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-3-0x000000001B420000-0x000000001B470000-memory.dmp

Filesize
320KB

Download
memory/2676-4-0x000000001B830000-0x000000001B8E2000-memory.dmp

Filesize
712KB

Download
memory/2676-5-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2676-6-0x000000001B7B0000-0x000000001B7EC000-memory.dmp

Filesize
240KB

Download
memory/2676-7-0x00007FFCC2C33000-0x00007FFCC2C35000-memory.dmp

Filesize
8KB

Download
memory/2676-8-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

Filesize
10.8MB

Download
memory/2676-13-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

Filesize
10.8MB

Download