quasar | abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

Reason

Machine shutdown

General

Target

Uni.exe
Size

409KB
MD5

4c2bb0618a6eda615c8001d5a7ccd6c0
SHA1

c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256

abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA512

6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
SSDEEP

12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO

Score

10^/10

quasar seroxen bootkit persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes

encryption_key
Pw78RUs175dFrKD7lMwH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2860-1-0x00000000006C0000-0x000000000072C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 3 IoCs

Processes:

Client.exeXEwSIyWfdT7m.exedYOI9WYmiFsV.exe

pid process

2132 Client.exe
1424 XEwSIyWfdT7m.exe
864 dYOI9WYmiFsV.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

dYOI9WYmiFsV.exe

description ioc process

File opened for modification \??\PhysicalDrive0 dYOI9WYmiFsV.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

1892 schtasks.exe
1420 SCHTASKS.exe
2188 schtasks.exe

pid	process
2132	Client.exe
1424	XEwSIyWfdT7m.exe
864	dYOI9WYmiFsV.exe

flow	ioc
1	ip-api.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	dYOI9WYmiFsV.exe

pid	process
1892	schtasks.exe
1420	SCHTASKS.exe
2188	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Uni.exeClient.exeAUDIODG.EXEdYOI9WYmiFsV.exe

description	pid	process
Token: SeDebugPrivilege	2860	Uni.exe
Token: SeDebugPrivilege	2132	Client.exe
Token: 33	4632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4632	AUDIODG.EXE
Token: SeShutdownPrivilege	864	dYOI9WYmiFsV.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exeXEwSIyWfdT7m.exe

pid process

2132 Client.exe
1424 XEwSIyWfdT7m.exe

pid	process
2132	Client.exe
1424	XEwSIyWfdT7m.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Uni.exeClient.exe

description	pid	process	target process
PID 2860 wrote to memory of 1892	2860	Uni.exe	schtasks.exe
PID 2860 wrote to memory of 1892	2860	Uni.exe	schtasks.exe
PID 2860 wrote to memory of 1892	2860	Uni.exe	schtasks.exe
PID 2860 wrote to memory of 2132	2860	Uni.exe	Client.exe
PID 2860 wrote to memory of 2132	2860	Uni.exe	Client.exe
PID 2860 wrote to memory of 2132	2860	Uni.exe	Client.exe
PID 2860 wrote to memory of 1420	2860	Uni.exe	SCHTASKS.exe
PID 2860 wrote to memory of 1420	2860	Uni.exe	SCHTASKS.exe
PID 2860 wrote to memory of 1420	2860	Uni.exe	SCHTASKS.exe
PID 2132 wrote to memory of 2188	2132	Client.exe	schtasks.exe
PID 2132 wrote to memory of 2188	2132	Client.exe	schtasks.exe
PID 2132 wrote to memory of 2188	2132	Client.exe	schtasks.exe
PID 2132 wrote to memory of 1424	2132	Client.exe	XEwSIyWfdT7m.exe
PID 2132 wrote to memory of 1424	2132	Client.exe	XEwSIyWfdT7m.exe
PID 2132 wrote to memory of 1424	2132	Client.exe	XEwSIyWfdT7m.exe
PID 2132 wrote to memory of 864	2132	Client.exe	dYOI9WYmiFsV.exe
PID 2132 wrote to memory of 864	2132	Client.exe	dYOI9WYmiFsV.exe
PID 2132 wrote to memory of 864	2132	Client.exe	dYOI9WYmiFsV.exe

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1892

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2188

C:\Users\Admin\AppData\Local\Temp\XEwSIyWfdT7m.exe
"C:\Users\Admin\AppData\Local\Temp\XEwSIyWfdT7m.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Users\Admin\AppData\Local\Temp\dYOI9WYmiFsV.exe
"C:\Users\Admin\AppData\Local\Temp\dYOI9WYmiFsV.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Pre-OS Boot

1

T1542

Bootkit

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XEwSIyWfdT7m.exe
Filesize
276KB

MD5
120f3a38b2f4eb0f800ebe47ffa5e76b

SHA1
bed5148cc6a53e12a86ed635bb79135a568edd78

SHA256
3a195d762fd1e2f7f93eb4cbcef8fa9b600a6f94fc43b1c1c157b2c5e069154f

SHA512
60e66274203624afa422578d9807b21cbcc99de855dd665aa54753c957886677e358a2579ade098970c7ea3f9c3f2476c9e028fdabaac6ee991f09093fa52aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYOI9WYmiFsV.exe
Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
4c2bb0618a6eda615c8001d5a7ccd6c0

SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0

SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

Download Submit
memory/2132-18-0x0000000006A90000-0x0000000006A9A000-memory.dmp

Filesize
40KB

Download
memory/2132-19-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/2132-20-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/2132-14-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/2132-13-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/2860-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/2860-7-0x0000000006440000-0x000000000647C000-memory.dmp

Filesize
240KB

Download
memory/2860-6-0x0000000005F10000-0x0000000005F22000-memory.dmp

Filesize
72KB

Download
memory/2860-16-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/2860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2860-4-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/2860-5-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/2860-2-0x0000000005800000-0x0000000005DA6000-memory.dmp

Filesize
5.6MB

Download
memory/2860-1-0x00000000006C0000-0x000000000072C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads