quasar | 6333b624e660914372affcb1c1018727a6af72e3f4cbf572e40f7f91596db233

General

Target

Poisontree.exe.bin.exe
Size

11KB
MD5

704a84956ccaafdf044a5aed5e02d7f6
SHA1

31e4f4591084991d0e1b56a8edb04c9c12c47f8d
SHA256

6333b624e660914372affcb1c1018727a6af72e3f4cbf572e40f7f91596db233
SHA512

c913e2358405d9fd089de4fcfca0b0784c5c5768c6dd790354bde0f2dabf191bdf8e0d98df7ac94ceb3075c2e94595b1bcb5479e45601df5b83129ca05c1bbdf
SSDEEP

192:yj6Zyx2ZDJ5xwdGO2zpKetQZz5ZLbrYWL39mxWpQVLSLrLF+3g8NaVe+fuSEZT:C6Zyx2ZDJ5xwdGO2zpKet+dZLtLNmxWk

Score

10^/10

quasar dilly spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

dilly

C2

lvke-45989.portmap.host:45989

Mutex

0cb49dc2-fd0d-4581-ae1e-04154c41f310

Attributes

encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
install_name
defenderx64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Helper
subdirectory
en

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\defender64.exe	family_quasar
behavioral2/memory/3756-19-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Poisontree.exe.bin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Poisontree.exe.bin.exe

Executes dropped EXE 2 IoCs

Processes:

defender64.exedefenderx64.exe

pid process

3756 defender64.exe
5084 defenderx64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 raw.githubusercontent.com
21 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4104 schtasks.exe
3052 schtasks.exe

pid	process
3756	defender64.exe
5084	defenderx64.exe

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com

pid	process
4104	schtasks.exe
3052	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Poisontree.exe.bin.exedefender64.exedefenderx64.exe

description	pid	process
Token: SeDebugPrivilege	2624	Poisontree.exe.bin.exe
Token: SeDebugPrivilege	3756	defender64.exe
Token: SeDebugPrivilege	5084	defenderx64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

defenderx64.exe

pid process

5084 defenderx64.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

defenderx64.exe

pid process

5084 defenderx64.exe

pid	process
5084	defenderx64.exe

pid	process
5084	defenderx64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Poisontree.exe.bin.exedefender64.exedefenderx64.exe

description	pid	process	target process
PID 2624 wrote to memory of 3756	2624	Poisontree.exe.bin.exe	defender64.exe
PID 2624 wrote to memory of 3756	2624	Poisontree.exe.bin.exe	defender64.exe
PID 3756 wrote to memory of 4104	3756	defender64.exe	schtasks.exe
PID 3756 wrote to memory of 4104	3756	defender64.exe	schtasks.exe
PID 3756 wrote to memory of 5084	3756	defender64.exe	defenderx64.exe
PID 3756 wrote to memory of 5084	3756	defender64.exe	defenderx64.exe
PID 5084 wrote to memory of 3052	5084	defenderx64.exe	schtasks.exe
PID 5084 wrote to memory of 3052	5084	defenderx64.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Poisontree.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Poisontree.exe.bin.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\defender64.exe
"C:\Users\Admin\AppData\Local\Temp\defender64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4104

C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\defender64.exe

Filesize
3.1MB

MD5
a3ffca2a5a9a4917a64bcabccb4f9fad

SHA1
9cfc0318809849ab6f2edfc18f6975da812a9f51

SHA256
21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

SHA512
d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e

Download Submit
memory/2624-30-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/2624-2-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/2624-3-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/2624-4-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/2624-5-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2624-32-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2624-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2624-31-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2624-21-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/3756-19-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download
memory/3756-27-0x00007FFD417C0000-0x00007FFD42281000-memory.dmp

Filesize
10.8MB

Download
memory/3756-20-0x00007FFD417C0000-0x00007FFD42281000-memory.dmp

Filesize
10.8MB

Download
memory/3756-18-0x00007FFD417C3000-0x00007FFD417C5000-memory.dmp

Filesize
8KB

Download
memory/5084-28-0x000000001BF10000-0x000000001BF60000-memory.dmp

Filesize
320KB

Download
memory/5084-29-0x000000001C020000-0x000000001C0D2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads