quasar | 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40

General

Target

34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
Size

3.1MB
MD5

483d0a45f61e108b7a89c6707e138d62
SHA1

da16e84ef741a6a82038468da5990b25e3bf751c
SHA256

34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40
SHA512

5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492
SSDEEP

49152:Wvxt62XlaSFNWPjljiFa2RoUYIiyTCD8foGdIoTHHB72eh2NT:Wv762XlaSFNWPjljiFXRoUYIiyTCc

Score

10^/10

quasar beamed celex spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Beamed Celex

C2

192.168.2.102:5145

Nixon:5145

Mutex

a9d8efa6-449f-415c-bad7-c7fbd83156d2

Attributes

encryption_key
288C4AC276CDC9ADD45AEABDE642A8A88681F7BB
install_name
Celex.exe
log_directory
Logs
reconnect_delay
1
startup_key
Celex
subdirectory
Celex

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2080-7-0x0000000001120000-0x0000000001444000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe	family_quasar
behavioral1/memory/2436-1-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/340-33-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/memory/2872-44-0x00000000012F0000-0x0000000001614000-memory.dmp	family_quasar
behavioral1/memory/3028-55-0x0000000000350000-0x0000000000674000-memory.dmp	family_quasar

Executes dropped EXE 5 IoCs

Processes:

Celex.exeCelex.exeCelex.exeCelex.exeCelex.exe

pid process

2080 Celex.exe
2936 Celex.exe
340 Celex.exe
2872 Celex.exe
3028 Celex.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1848 schtasks.exe
1504 schtasks.exe
2636 schtasks.exe
1728 schtasks.exe
2356 schtasks.exe
468 schtasks.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

688 PING.EXE
1976 PING.EXE
2564 PING.EXE
2236 PING.EXE

pid	process
2080	Celex.exe
2936	Celex.exe
340	Celex.exe
2872	Celex.exe
3028	Celex.exe

pid	process
1848	schtasks.exe
1504	schtasks.exe
2636	schtasks.exe
1728	schtasks.exe
2356	schtasks.exe
468	schtasks.exe

pid	process
688	PING.EXE
1976	PING.EXE
2564	PING.EXE
2236	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exe

description	pid	process
Token: SeDebugPrivilege	2436	34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
Token: SeDebugPrivilege	2080	Celex.exe
Token: SeDebugPrivilege	2936	Celex.exe
Token: SeDebugPrivilege	340	Celex.exe
Token: SeDebugPrivilege	2872	Celex.exe
Token: SeDebugPrivilege	3028	Celex.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Celex.exeCelex.exeCelex.exeCelex.exeCelex.exe

pid process

2080 Celex.exe
2936 Celex.exe
340 Celex.exe
2872 Celex.exe
3028 Celex.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Celex.exeCelex.exeCelex.exeCelex.exeCelex.exe

pid process

2080 Celex.exe
2936 Celex.exe
340 Celex.exe
2872 Celex.exe
3028 Celex.exe

pid	process
2080	Celex.exe
2936	Celex.exe
340	Celex.exe
2872	Celex.exe
3028	Celex.exe

pid	process
2080	Celex.exe
2936	Celex.exe
340	Celex.exe
2872	Celex.exe
3028	Celex.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exe

description	pid	process	target process
PID 2436 wrote to memory of 1728	2436	34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe	schtasks.exe
PID 2436 wrote to memory of 1728	2436	34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe	schtasks.exe
PID 2436 wrote to memory of 1728	2436	34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe	schtasks.exe
PID 2436 wrote to memory of 2080	2436	34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe	Celex.exe
PID 2436 wrote to memory of 2080	2436	34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe	Celex.exe
PID 2436 wrote to memory of 2080	2436	34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe	Celex.exe
PID 2080 wrote to memory of 2636	2080	Celex.exe	schtasks.exe
PID 2080 wrote to memory of 2636	2080	Celex.exe	schtasks.exe
PID 2080 wrote to memory of 2636	2080	Celex.exe	schtasks.exe
PID 2080 wrote to memory of 2828	2080	Celex.exe	cmd.exe
PID 2080 wrote to memory of 2828	2080	Celex.exe	cmd.exe
PID 2080 wrote to memory of 2828	2080	Celex.exe	cmd.exe
PID 2828 wrote to memory of 2620	2828	cmd.exe	chcp.com
PID 2828 wrote to memory of 2620	2828	cmd.exe	chcp.com
PID 2828 wrote to memory of 2620	2828	cmd.exe	chcp.com
PID 2828 wrote to memory of 2564	2828	cmd.exe	PING.EXE
PID 2828 wrote to memory of 2564	2828	cmd.exe	PING.EXE
PID 2828 wrote to memory of 2564	2828	cmd.exe	PING.EXE
PID 2828 wrote to memory of 2936	2828	cmd.exe	Celex.exe
PID 2828 wrote to memory of 2936	2828	cmd.exe	Celex.exe
PID 2828 wrote to memory of 2936	2828	cmd.exe	Celex.exe
PID 2936 wrote to memory of 2356	2936	Celex.exe	schtasks.exe
PID 2936 wrote to memory of 2356	2936	Celex.exe	schtasks.exe
PID 2936 wrote to memory of 2356	2936	Celex.exe	schtasks.exe
PID 2936 wrote to memory of 2224	2936	Celex.exe	cmd.exe
PID 2936 wrote to memory of 2224	2936	Celex.exe	cmd.exe
PID 2936 wrote to memory of 2224	2936	Celex.exe	cmd.exe
PID 2224 wrote to memory of 2232	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 2232	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 2232	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 2236	2224	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2236	2224	cmd.exe	PING.EXE
PID 2224 wrote to memory of 2236	2224	cmd.exe	PING.EXE
PID 2224 wrote to memory of 340	2224	cmd.exe	Celex.exe
PID 2224 wrote to memory of 340	2224	cmd.exe	Celex.exe
PID 2224 wrote to memory of 340	2224	cmd.exe	Celex.exe
PID 340 wrote to memory of 468	340	Celex.exe	schtasks.exe
PID 340 wrote to memory of 468	340	Celex.exe	schtasks.exe
PID 340 wrote to memory of 468	340	Celex.exe	schtasks.exe
PID 340 wrote to memory of 380	340	Celex.exe	cmd.exe
PID 340 wrote to memory of 380	340	Celex.exe	cmd.exe
PID 340 wrote to memory of 380	340	Celex.exe	cmd.exe
PID 380 wrote to memory of 1144	380	cmd.exe	chcp.com
PID 380 wrote to memory of 1144	380	cmd.exe	chcp.com
PID 380 wrote to memory of 1144	380	cmd.exe	chcp.com
PID 380 wrote to memory of 688	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 688	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 688	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 2872	380	cmd.exe	Celex.exe
PID 380 wrote to memory of 2872	380	cmd.exe	Celex.exe
PID 380 wrote to memory of 2872	380	cmd.exe	Celex.exe
PID 2872 wrote to memory of 1848	2872	Celex.exe	schtasks.exe
PID 2872 wrote to memory of 1848	2872	Celex.exe	schtasks.exe
PID 2872 wrote to memory of 1848	2872	Celex.exe	schtasks.exe
PID 2872 wrote to memory of 772	2872	Celex.exe	cmd.exe
PID 2872 wrote to memory of 772	2872	Celex.exe	cmd.exe
PID 2872 wrote to memory of 772	2872	Celex.exe	cmd.exe
PID 772 wrote to memory of 2964	772	cmd.exe	chcp.com
PID 772 wrote to memory of 2964	772	cmd.exe	chcp.com
PID 772 wrote to memory of 2964	772	cmd.exe	chcp.com
PID 772 wrote to memory of 1976	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 1976	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 1976	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 3028	772	cmd.exe	Celex.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
"C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1728

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\s72nFzzHhQz3.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2620

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2564

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C6cmR5QcZR7A.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2232

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2236

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:468

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\44K55chyoz1Q.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1144

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:688

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2BBnuJqRgXKZ.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2964

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1976

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3028

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2BBnuJqRgXKZ.bat
Filesize
205B

MD5
a8a40785e947cbd4654ac01e1881455e

SHA1
ba3f8805233e3cc7d03c70e4b53f49aab46e8874

SHA256
d8740d79469e0ea584dbfca1d775a02c1c6f2ae7b58638cf3e8dffdb9edf559d

SHA512
d49a3e26adcf053719070a6c1b6305149aa01fb02eae17bcfe8e391f053e89f5b77bf95c4515fe28c983675757be9fe1cde890d047d1b444b4c3a3810a82bd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\44K55chyoz1Q.bat
Filesize
205B

MD5
efd5c6839e7dc868e9191ae1b6f7a526

SHA1
2f77aa7b86fa67d8edf14b738fd7170df43c7fd9

SHA256
9afd6bfa6727b03f64c86aa345b34e8194a57dbcf96956364b1a8cbbdd26b574

SHA512
7c2cbf200e33bc185d9f8dc9cf420e8423810894f479a1a4a374716d83d46bb6a0524c681ea932dc3c35415d5851e13cb0fce8a18898f99f4627e4084bb3e1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6cmR5QcZR7A.bat
Filesize
205B

MD5
102d56b1eede5ee3b82dc5b347b6b5bc

SHA1
f5b1e03bcc6f01c601de743b89d665b49332af18

SHA256
8a176c2ef61749b3f703ff2ad6f5046913e29e4092ec0bb5cde9e7461f6c2ef1

SHA512
1d4fe819f960609c7a48accef359ccfb7b93e896e7fa31f1f8c3a5175004476967d225cac983d3778236d2bbf954cf1994cf5a60106711a37341ab47fe467972

Download Submit
C:\Users\Admin\AppData\Local\Temp\s72nFzzHhQz3.bat
Filesize
205B

MD5
2c0615443f674595076afee6bd6a0188

SHA1
d3f7f12531079290d7fcadc7dba6b2511a527add

SHA256
1a2d5dfcc78298da47fb99157d9a2127a2b0199e2f17d8af19d3c6647675075a

SHA512
30ac097b4e0415ea8db03847141dda52b76911c410c7aa8bc360998866dc69b3d96535f096b2a411cedb5df66571b22a7f66f4a4967b4c495269c85e288dbf1b

Download Submit
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
Filesize
3.1MB

MD5
483d0a45f61e108b7a89c6707e138d62

SHA1
da16e84ef741a6a82038468da5990b25e3bf751c

SHA256
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40

SHA512
5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492

Download Submit
memory/340-33-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download
memory/2080-11-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-20-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-7-0x0000000001120000-0x0000000001444000-memory.dmp

Filesize
3.1MB

Download
memory/2080-10-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-1-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download
memory/2436-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2436-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-8-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2872-44-0x00000000012F0000-0x0000000001614000-memory.dmp

Filesize
3.1MB

Download
memory/3028-55-0x0000000000350000-0x0000000000674000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads