quasar | 630001fa4519808fd9203d695549174388a58f1a164a0abe29478d3685a74f26

General

Target

19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe
Size

3.1MB
MD5

19451df9007da7ff2487be92a77fa250
SHA1

fca38124a0a074a09b1f34b322073acb2721b86e
SHA256

630001fa4519808fd9203d695549174388a58f1a164a0abe29478d3685a74f26
SHA512

80c62c24bd3a17fb0001074ab076a1d60ee65d39ada969c13d9057423fbcaaf447308712ec073c74c0e36e1131c10a4bdb86e9d03563f1fa2f447bb53f581dc9
SSDEEP

49152:4v5I22SsaNYfdPBldt698dBcjHj0+o+KMfutoGdZU8zTHHB72eh2NT:4v622SsaNYfdPBldt6+dBcjHj0+o+OJ

Score

10^/10

quasar hawa slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hawa Slave

C2

having-bunny.gl.at.ply.gg:32381

Mutex

c043154e-c770-47c9-83a7-6cfcfe2e8a81

Attributes

encryption_key
89EA4FFE5F728FABCCAA501D85497C89A98F95CB
install_name
powershell.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-1-0x0000000000D60000-0x0000000001084000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe	family_quasar
behavioral1/memory/2628-10-0x0000000000D30000-0x0000000001054000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

powershell.exe

pid process

2628 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2820 schtasks.exe
2800 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1792 19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe
Token: SeDebugPrivilege 2628 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

powershell.exe

pid process

2628 powershell.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

powershell.exe

pid process

2628 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2628 powershell.exe

pid	process
2628	powershell.exe

pid	process
2820	schtasks.exe
2800	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1792	19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe
Token: SeDebugPrivilege	2628	powershell.exe

pid	process
2628	powershell.exe

pid	process
2628	powershell.exe

pid	process
2628	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exepowershell.exe

description	pid	process	target process
PID 1792 wrote to memory of 2820	1792	19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe	schtasks.exe
PID 1792 wrote to memory of 2820	1792	19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe	schtasks.exe
PID 1792 wrote to memory of 2820	1792	19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe	schtasks.exe
PID 1792 wrote to memory of 2628	1792	19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe	powershell.exe
PID 1792 wrote to memory of 2628	1792	19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe	powershell.exe
PID 1792 wrote to memory of 2628	1792	19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe	powershell.exe
PID 2628 wrote to memory of 2800	2628	powershell.exe	schtasks.exe
PID 2628 wrote to memory of 2800	2628	powershell.exe	schtasks.exe
PID 2628 wrote to memory of 2800	2628	powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2820

C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe
"C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe

Filesize
3.1MB

MD5
19451df9007da7ff2487be92a77fa250

SHA1
fca38124a0a074a09b1f34b322073acb2721b86e

SHA256
630001fa4519808fd9203d695549174388a58f1a164a0abe29478d3685a74f26

SHA512
80c62c24bd3a17fb0001074ab076a1d60ee65d39ada969c13d9057423fbcaaf447308712ec073c74c0e36e1131c10a4bdb86e9d03563f1fa2f447bb53f581dc9

Download Submit
memory/1792-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1792-1-0x0000000000D60000-0x0000000001084000-memory.dmp

Filesize
3.1MB

Download
memory/1792-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-8-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-10-0x0000000000D30000-0x0000000001054000-memory.dmp

Filesize
3.1MB

Download
memory/2628-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-9-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-12-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads