quasar | 2455555f8a5b6f30b3557cc427a78c24f008075ac3826b165b8d2554ecb53e08

General

Target

FortiCracke/FortiCracke/Fortnite Cracker.exe
Size

5.5MB
MD5

b9b970ba0af4644bb8036eb499e871b9
SHA1

4dc39e73054b2c38a3ae30db1abf229aaf282965
SHA256

5cfa868cfac6015908731e5c0541e52e3d57ea8c81d416ec419315e0a99e8d09
SHA512

3208a3a40af2c200d44b05f3d84c88e23e13bdf6e1ce7e7a3b82fdd4cff2589b5a5a62ce3a02388bdc03619b3e0bae359e47f8b97a070594ca5d2774ae65a9b8
SSDEEP

49152:eO/SXkQ9jdLStzMdgS+dt0XYI2w+LSignW+Yeg3s1UeiVQgGwD/xT0SJy3G+c:

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

Javvaa.accesscam.org:4782

Mutex

QSR_MUTEX_1DLvM9FtGeSt3qpyvo

Attributes

encryption_key
AxLKBxIEAMOuWNEzFsDB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Client.exe	family_quasar
behavioral1/memory/1916-17-0x0000000000390000-0x00000000003EE000-memory.dmp	family_quasar
behavioral1/memory/2428-25-0x0000000000D20000-0x0000000000D7E000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

Processes:

FortiCrack.exeClient.exeClient.exeClient.exe

pid process

2892 FortiCrack.exe
1916 Client.exe
2428 Client.exe
240 Client.exe

pid	process
2892	FortiCrack.exe
1916	Client.exe
2428	Client.exe
240	Client.exe

Loads dropped DLL 9 IoCs

Processes:

Fortnite Cracker.exeClient.exeWerFault.execmd.exe

pid	process
2188	Fortnite Cracker.exe
2188	Fortnite Cracker.exe
1916	Client.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
1280	cmd.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2640 2428 WerFault.exe Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1724 schtasks.exe
2292 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2328 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client.exeClient.exe

description pid process

Token: SeDebugPrivilege 1916 Client.exe
Token: SeDebugPrivilege 2428 Client.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

FortiCrack.exeClient.exe

pid process

2892 FortiCrack.exe
2428 Client.exe

flow	ioc
2	ip-api.com

pid	pid_target	process	target process
2640	2428	WerFault.exe	Client.exe

pid	process
1724	schtasks.exe
2292	schtasks.exe

pid	process
2328	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1916	Client.exe
Token: SeDebugPrivilege	2428	Client.exe

pid	process
2892	FortiCrack.exe
2428	Client.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Fortnite Cracker.exeClient.exeClient.execmd.exe

description	pid	process	target process
PID 2188 wrote to memory of 2892	2188	Fortnite Cracker.exe	FortiCrack.exe
PID 2188 wrote to memory of 2892	2188	Fortnite Cracker.exe	FortiCrack.exe
PID 2188 wrote to memory of 2892	2188	Fortnite Cracker.exe	FortiCrack.exe
PID 2188 wrote to memory of 2892	2188	Fortnite Cracker.exe	FortiCrack.exe
PID 2188 wrote to memory of 1916	2188	Fortnite Cracker.exe	Client.exe
PID 2188 wrote to memory of 1916	2188	Fortnite Cracker.exe	Client.exe
PID 2188 wrote to memory of 1916	2188	Fortnite Cracker.exe	Client.exe
PID 2188 wrote to memory of 1916	2188	Fortnite Cracker.exe	Client.exe
PID 1916 wrote to memory of 1724	1916	Client.exe	schtasks.exe
PID 1916 wrote to memory of 1724	1916	Client.exe	schtasks.exe
PID 1916 wrote to memory of 1724	1916	Client.exe	schtasks.exe
PID 1916 wrote to memory of 1724	1916	Client.exe	schtasks.exe
PID 1916 wrote to memory of 2428	1916	Client.exe	Client.exe
PID 1916 wrote to memory of 2428	1916	Client.exe	Client.exe
PID 1916 wrote to memory of 2428	1916	Client.exe	Client.exe
PID 1916 wrote to memory of 2428	1916	Client.exe	Client.exe
PID 2428 wrote to memory of 2292	2428	Client.exe	schtasks.exe
PID 2428 wrote to memory of 2292	2428	Client.exe	schtasks.exe
PID 2428 wrote to memory of 2292	2428	Client.exe	schtasks.exe
PID 2428 wrote to memory of 2292	2428	Client.exe	schtasks.exe
PID 2428 wrote to memory of 1280	2428	Client.exe	cmd.exe
PID 2428 wrote to memory of 1280	2428	Client.exe	cmd.exe
PID 2428 wrote to memory of 1280	2428	Client.exe	cmd.exe
PID 2428 wrote to memory of 1280	2428	Client.exe	cmd.exe
PID 2428 wrote to memory of 2640	2428	Client.exe	WerFault.exe
PID 2428 wrote to memory of 2640	2428	Client.exe	WerFault.exe
PID 2428 wrote to memory of 2640	2428	Client.exe	WerFault.exe
PID 2428 wrote to memory of 2640	2428	Client.exe	WerFault.exe
PID 1280 wrote to memory of 1028	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1028	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1028	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 1028	1280	cmd.exe	chcp.com
PID 1280 wrote to memory of 2328	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 2328	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 2328	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 2328	1280	cmd.exe	PING.EXE
PID 1280 wrote to memory of 240	1280	cmd.exe	Client.exe
PID 1280 wrote to memory of 240	1280	cmd.exe	Client.exe
PID 1280 wrote to memory of 240	1280	cmd.exe	Client.exe
PID 1280 wrote to memory of 240	1280	cmd.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\FortiCracke\FortiCracke\Fortnite Cracker.exe
"C:\Users\Admin\AppData\Local\Temp\FortiCracke\FortiCracke\Fortnite Cracker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\FortiCrack.exe
"C:\Users\Admin\AppData\Local\Temp\FortiCrack.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1724

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LDaPvKfTwax6.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1028

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2328

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
5⤵
- Executes dropped EXE
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1448
4⤵
- Loads dropped DLL
- Program crash
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LDaPvKfTwax6.bat

Filesize
207B

MD5
75e058c96444c40b64b107c7886fe9bb

SHA1
e72579eaa76071f3ebcb16b3eee4f20c045fc9c2

SHA256
2d821d67014aae2116d3bb939a2d573c96051956261cd45f440a28a2171a7347

SHA512
b7a012edaf29229e0a00c39aa43f02f64c8cbab858724efdafc826c9771e651b923ab21d8991820cf21cc70ed2682b3ad0abee9b80321d676c4c5f1ca6c00571

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
349KB

MD5
0253c552f0c08f4f503018d8a6f496dd

SHA1
562f17e8a60c30c3552f9d38be1a1c8dc612f76b

SHA256
5069416fe7565f5589e9548b44ac5fca7af7ef4262857ef6a4928e0814e6b19b

SHA512
81ec5b1c03aefffee5dadc51364d0008dea6d58185c132d38b9dbb757964d1eafc22c5bf706912d60e56b4814c902cf6ca4747e9fb32bc01597e838b67369969

Download Submit
\Users\Admin\AppData\Local\Temp\FortiCrack.exe

Filesize
3.8MB

MD5
89cb90def5409b7d21dbc1352a19aee5

SHA1
39ef0a095fba269b35c71acb7b92c68c854a0c72

SHA256
8f22f1b6620608f568bd79a255db4d4ac282a7b54d596d75be7ae1e9ae11ec79

SHA512
c798a32ca9772ad2879412e153fe1c4499b08a59b71b65e87c2b586bc1ff9b56530f0b38b6a0b506b92bfab0db12dd54337c894e80abb85cbb853ff3b85c8f7c

Download Submit
memory/1916-17-0x0000000000390000-0x00000000003EE000-memory.dmp

Filesize
376KB

Download
memory/2188-0-0x0000000074341000-0x0000000074342000-memory.dmp

Filesize
4KB

Download
memory/2188-1-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2188-2-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2188-16-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-25-0x0000000000D20000-0x0000000000D7E000-memory.dmp

Filesize
376KB

Download
memory/2892-41-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads