quasar | 82c4ebbea3a1cf61cb81196e865149b679df63dacaceef1e1242ce9b855aedf7

Analysis

max time kernel
616s
max time network
1608s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynV2.exe
Size

3.1MB
MD5

007e5cb679d162307ae1e97aae6b60bb
SHA1

a03429b7d5bf4fbe507863f110782b17b3de98ef
SHA256

82c4ebbea3a1cf61cb81196e865149b679df63dacaceef1e1242ce9b855aedf7
SHA512

eb2298577149e34238475eee4329ac031efe4433ca8d3b9951bc1914c52e633a8c4b1034c4ff9b6f79364250cede584b25d9c13556f4fe35ec6be5ac0661a2c0
SSDEEP

49152:pvjt62XlaSFNWPjljiFa2RoUYI204lhhgvJ6EoGdxsTHHB72eh2NT:pvx62XlaSFNWPjljiFXRoUYIchm

Score

10^/10

quasar shiba spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

sites-mood.gl.at.ply.gg:50107

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes

encryption_key
A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7
install_name
$sxr-insta.exe
log_directory
$sxr-logs
reconnect_delay
1000
startup_key
$sxr-mstha
subdirectory
$sxr-start

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/4448-1-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
96	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	SynV2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4368	4448	SynV2.exe	74
PID 4448 wrote to memory of 4368	4448	SynV2.exe	74
PID 4368 wrote to memory of 4200	4368	cmd.exe	76
PID 4368 wrote to memory of 4200	4368	cmd.exe	76
PID 4368 wrote to memory of 96	4368	cmd.exe	77
PID 4368 wrote to memory of 96	4368	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\SynV2.exe
"C:\Users\Admin\AppData\Local\Temp\SynV2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsLoXYlOrgNg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4200
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:96

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PsLoXYlOrgNg.bat

Filesize
206B

MD5
6b141e3be21cc1b56a6fea31f44746ee

SHA1
ab9f0c46a8ab866776099e6731dd33b0048b1393

SHA256
eb7639bc7ceb8432300f8b3e52c8c72b74b4fcea8ae1661ce2ba5499b09654e9

SHA512
53f91ddc1a5a4c2392be0f2c11e5a23029e6256867d10037b7b289c1964d4b2508e772c4881f3c5e61a233429c4d937956802b4f650d2a8997c4dc3669c930cc

Download Submit
memory/4448-0-0x00007FFA9C3B3000-0x00007FFA9C3B4000-memory.dmp

Filesize
4KB

Download
memory/4448-1-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/4448-2-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4448-3-0x0000000003580000-0x00000000035D0000-memory.dmp

Filesize
320KB

Download
memory/4448-4-0x000000001C3B0000-0x000000001C462000-memory.dmp

Filesize
712KB

Download
memory/4448-8-0x000000001C330000-0x000000001C36E000-memory.dmp

Filesize
248KB

Download
memory/4448-7-0x00000000035D0000-0x00000000035E2000-memory.dmp

Filesize
72KB

Download
memory/4448-9-0x00007FFA9C3B3000-0x00007FFA9C3B4000-memory.dmp

Filesize
4KB

Download
memory/4448-10-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download
memory/4448-15-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

Filesize
9.9MB

Download