quasar | 2acce0fae72f9e23576cc9826106695c4d168cb010927ec45fd404af32db9d0a

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZebraObfuscator.exe
Size

3.1MB
MD5

a98be80edea7fa660fc36b2702ad262b
SHA1

b18b3cada82a61bfbb1ed5d56550223ce0d10fe2
SHA256

2acce0fae72f9e23576cc9826106695c4d168cb010927ec45fd404af32db9d0a
SHA512

82d7090d044f4bfc2f0993b4fec70b11d0a16364d8c1a764418d95845ae7f67647a800040ea2e8405d0b836eab62f2fe171a420ebafd548d52decec4cae42c4a
SSDEEP

49152:TvEI22SsaNYfdPBldt698dBcjHi0iUuBeYuocdkhRoTHHB72eh2NT:Tvp22SsaNYfdPBldt6+dBcjHi5UzG

Score

10^/10

quasar obfuscator spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Obfuscator

even-lemon.gl.at.ply.gg:33587

Mutex

1272508c-0529-4a9c-ae6e-b9fe2c597a25

Attributes

encryption_key
2695178836BA12133DD75A122E23A754EAD78C5F
install_name
$sxr-powershell.exe
log_directory
Windows
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1384-1-0x0000000000BC0000-0x0000000000EE4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

$sxr-powershell.exe

pid process

2724 $sxr-powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4108 schtasks.exe
4612 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ZebraObfuscator.exe$sxr-powershell.exe

description pid process

Token: SeDebugPrivilege 1384 ZebraObfuscator.exe
Token: SeDebugPrivilege 2724 $sxr-powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

2724 $sxr-powershell.exe

pid	process
2724	$sxr-powershell.exe

pid	process
4108	schtasks.exe
4612	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1384	ZebraObfuscator.exe
Token: SeDebugPrivilege	2724	$sxr-powershell.exe

pid	process
2724	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ZebraObfuscator.exe$sxr-powershell.exe

description	pid	process	target process
PID 1384 wrote to memory of 4108	1384	ZebraObfuscator.exe	schtasks.exe
PID 1384 wrote to memory of 4108	1384	ZebraObfuscator.exe	schtasks.exe
PID 1384 wrote to memory of 2724	1384	ZebraObfuscator.exe	$sxr-powershell.exe
PID 1384 wrote to memory of 2724	1384	ZebraObfuscator.exe	$sxr-powershell.exe
PID 2724 wrote to memory of 4612	2724	$sxr-powershell.exe	schtasks.exe
PID 2724 wrote to memory of 4612	2724	$sxr-powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ZebraObfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\ZebraObfuscator.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4108

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
Filesize
3.1MB

MD5
a98be80edea7fa660fc36b2702ad262b

SHA1
b18b3cada82a61bfbb1ed5d56550223ce0d10fe2

SHA256
2acce0fae72f9e23576cc9826106695c4d168cb010927ec45fd404af32db9d0a

SHA512
82d7090d044f4bfc2f0993b4fec70b11d0a16364d8c1a764418d95845ae7f67647a800040ea2e8405d0b836eab62f2fe171a420ebafd548d52decec4cae42c4a

Download Submit
memory/1384-0-0x00007FF841563000-0x00007FF841565000-memory.dmp

Filesize
8KB

Download
memory/1384-1-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

Filesize
3.1MB

Download
memory/1384-2-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/1384-9-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2724-10-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2724-11-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/2724-12-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/2724-13-0x000000001B920000-0x000000001B9D2000-memory.dmp

Filesize
712KB

Download
memory/2724-14-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download