quasar | e5429c4ca6a72ebefb61fd3da470a2f8aea6b82cbbeb495834e3d376ce06f878

General

Target

SeroXen Launcher.exe
Size

787KB
MD5

17db30a8534b23522fd78de47c0dcb0e
SHA1

54090b4efef19f75920d4d4777a540949291915e
SHA256

e5429c4ca6a72ebefb61fd3da470a2f8aea6b82cbbeb495834e3d376ce06f878
SHA512

33b9481f07fe4341f7ad527379570018ff8bf6d8c6a4a5b8cc42b128d7ecbfe16462a8c437d139a37335211d1a0f1b4c0afea216b2a6cfcb7cd30bed76a971de
SSDEEP

12288:OTzmTxA8/CRrETd9n0B0r90X31CW2GvdwaAElhB8X3v/0qjegZD94Vx1WCaTs:UjZ4Z0B2ClyadnB8X3v/0qjeqx2TWCd

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-saP4G4ZSqv4MBoKbNC

Attributes

encryption_key
VKNoex1bjxGlbI08GaQD
install_name
$sxr-powershell.exe
log_directory
$SXR-KEYLOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Video.exe	family_quasar
behavioral1/memory/1552-30-0x0000000000930000-0x000000000099C000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

Processes:

SeroR0X.exeVideo.exe$sxr-powershell.exe

pid process

5032 SeroR0X.exe
1552 Video.exe
3668 $sxr-powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

940 schtasks.exe
644 SCHTASKS.exe
4296 schtasks.exe
380 SCHTASKS.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2028 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Video.exe$sxr-powershell.exe

description pid process

Token: SeDebugPrivilege 1552 Video.exe
Token: SeDebugPrivilege 3668 $sxr-powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

3668 $sxr-powershell.exe

pid	process
5032	SeroR0X.exe
1552	Video.exe
3668	$sxr-powershell.exe

flow	ioc
1	ip-api.com

pid	process
940	schtasks.exe
644	SCHTASKS.exe
4296	schtasks.exe
380	SCHTASKS.exe

pid	process
2028	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1552	Video.exe
Token: SeDebugPrivilege	3668	$sxr-powershell.exe

pid	process
3668	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

SeroXen Launcher.exeVideo.exe$sxr-powershell.execmd.exe

description	pid	process	target process
PID 4788 wrote to memory of 5032	4788	SeroXen Launcher.exe	SeroR0X.exe
PID 4788 wrote to memory of 5032	4788	SeroXen Launcher.exe	SeroR0X.exe
PID 4788 wrote to memory of 1552	4788	SeroXen Launcher.exe	Video.exe
PID 4788 wrote to memory of 1552	4788	SeroXen Launcher.exe	Video.exe
PID 4788 wrote to memory of 1552	4788	SeroXen Launcher.exe	Video.exe
PID 1552 wrote to memory of 4296	1552	Video.exe	schtasks.exe
PID 1552 wrote to memory of 4296	1552	Video.exe	schtasks.exe
PID 1552 wrote to memory of 4296	1552	Video.exe	schtasks.exe
PID 1552 wrote to memory of 3668	1552	Video.exe	$sxr-powershell.exe
PID 1552 wrote to memory of 3668	1552	Video.exe	$sxr-powershell.exe
PID 1552 wrote to memory of 3668	1552	Video.exe	$sxr-powershell.exe
PID 1552 wrote to memory of 380	1552	Video.exe	SCHTASKS.exe
PID 1552 wrote to memory of 380	1552	Video.exe	SCHTASKS.exe
PID 1552 wrote to memory of 380	1552	Video.exe	SCHTASKS.exe
PID 3668 wrote to memory of 940	3668	$sxr-powershell.exe	schtasks.exe
PID 3668 wrote to memory of 940	3668	$sxr-powershell.exe	schtasks.exe
PID 3668 wrote to memory of 940	3668	$sxr-powershell.exe	schtasks.exe
PID 3668 wrote to memory of 2532	3668	$sxr-powershell.exe	schtasks.exe
PID 3668 wrote to memory of 2532	3668	$sxr-powershell.exe	schtasks.exe
PID 3668 wrote to memory of 2532	3668	$sxr-powershell.exe	schtasks.exe
PID 3668 wrote to memory of 3700	3668	$sxr-powershell.exe	cmd.exe
PID 3668 wrote to memory of 3700	3668	$sxr-powershell.exe	cmd.exe
PID 3668 wrote to memory of 3700	3668	$sxr-powershell.exe	cmd.exe
PID 3700 wrote to memory of 3480	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 3480	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 3480	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 2028	3700	cmd.exe	PING.EXE
PID 3700 wrote to memory of 2028	3700	cmd.exe	PING.EXE
PID 3700 wrote to memory of 2028	3700	cmd.exe	PING.EXE
PID 3668 wrote to memory of 644	3668	$sxr-powershell.exe	SCHTASKS.exe
PID 3668 wrote to memory of 644	3668	$sxr-powershell.exe	SCHTASKS.exe
PID 3668 wrote to memory of 644	3668	$sxr-powershell.exe	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\SeroXen Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\SeroXen Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe
"C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe"
2⤵
- Executes dropped EXE
PID:5032

C:\Users\Admin\AppData\Local\Temp\Video.exe
"C:\Users\Admin\AppData\Local\Temp\Video.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Video.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4296

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "$sxr-powershell" /f
4⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKjA6ESdbMyx.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3480

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2028

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77$sxr-powershell.exe" /tr "'C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe'" /sc onlogon /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:644

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Video.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Video.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NKjA6ESdbMyx.bat

Filesize
286B

MD5
f8da600d5c92a6b2d8dac04318bcdd88

SHA1
27e01b2a1dfd1d296313ca8e7759adbc3552e2bb

SHA256
c866cb76db8057d24d6ca95d0e8970089dbf9187ddbe90ce2ceb9053c3cea16a

SHA512
6ddb9da308eee8324e65ae2bee3671802d06e8994366392e12951bf55949105baec3207ea5ef40e21690021fee2bf76c4a3e91e9680d4291060f6b4679d5093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeroR0X.exe

Filesize
1.3MB

MD5
925b20e8384c99e1c0d9b17f45058e68

SHA1
cc7b20dea8abb7cf76ef7ef7c3d833fbcd35fe41

SHA256
57e3bdc89c259aa1ad611158342d81e120f82b71928c3a72a28fe17d27b6b046

SHA512
7e0fc69c92a46c9e797ff058214877f49bf1a98d8f9388d55a720c0dbaeefb51596a1a7a4ec562859bd8998de61589944db7653bd73a623311c78569cf2a304b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Video.exe

Filesize
409KB

MD5
b44006746a6ab36772f3c462921c90a0

SHA1
ac481b9eba11ca87762c2a681732f9be6aadecf4

SHA256
63486bb123e8bdea602ae9f5433bd4a34e3e3aa738b134c50a4ae4da87c2c312

SHA512
b6b9897274b9da2f80115fd2baada05814c1975aca2ac73bdc1275f0a63787b1d7918b533918c57cf8bfc47597f79dfe973e78a595608a09b8457ea166826e89

Download Submit
C:\Users\Admin\AppData\Roaming\$SXR-KEYLOGS\05-15-~1

Filesize
224B

MD5
c2213b467d15a8480c2b1113a29ce70a

SHA1
d1965b08d72674b768792772224c95db25c251cf

SHA256
0a1e74a67c44a58bdddcbeb709ef2b79b46dfe689d626db3dafa7fd4bf278931

SHA512
be232ddecfc9d9e64453f94de595598d646341b16a65f06c5ede792e222ce1dcc76d8d59526e4cb5ebf7d5deef713621b3d11cee33093ac9ceed8f6784ba9641

Download Submit
memory/1552-34-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/1552-28-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/1552-36-0x0000000006580000-0x00000000065BC000-memory.dmp

Filesize
240KB

Download
memory/1552-35-0x0000000006030000-0x0000000006042000-memory.dmp

Filesize
72KB

Download
memory/1552-30-0x0000000000930000-0x000000000099C000-memory.dmp

Filesize
432KB

Download
memory/1552-31-0x0000000005880000-0x0000000005E26000-memory.dmp

Filesize
5.6MB

Download
memory/1552-32-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/3668-44-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/4788-29-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/4788-0-0x00007FF9B0373000-0x00007FF9B0375000-memory.dmp

Filesize
8KB

Download
memory/4788-21-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/4788-1-0x0000000000610000-0x00000000006DA000-memory.dmp

Filesize
808KB

Download
memory/5032-33-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/5032-27-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmp

Filesize
10.8MB

Download
memory/5032-25-0x000001B66ECB0000-0x000001B66EE00000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads