quasar | 451f300d14014ed0d89f00dde44295272d1672507a449a6106dc450493baa52e

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe
Size

348KB
MD5

10fb9b71859bfc7ae5aff462a88ade70
SHA1

3e6c00c0d6d443741216b79e7f500d927b4cb60a
SHA256

451f300d14014ed0d89f00dde44295272d1672507a449a6106dc450493baa52e
SHA512

7666023e2c63c8eff11fb02588636fc932c0f616323bfa2c4faf4a65ba0355ea18f70a0b12246ffeacd1d0b137dd2aa6085058c5503fff0187f377758add3491
SSDEEP

6144:uvNHXf500M8wU2Kd6ab76s9BeSCck4kZ25t0CNO:0d50XKYK6cCcL5txO

Score

10^/10

quasar proxy spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

PROXY

proxybreve.duckdns.org:4001

Mutex

QSR_MUTEX_l1M93VuqIyiH8hEQ4I

Attributes

encryption_key
Z3lsDT6GRXRES92YFSq8
install_name
Client.exe
log_directory
Logs
reconnect_delay
1
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1688-1-0x0000000000B50000-0x0000000000BAE000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

684 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1688 10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe

flow	ioc
2	ip-api.com

pid	process
684	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1688	10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 2160	1688	10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe	cmd.exe
PID 1688 wrote to memory of 2160	1688	10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe	cmd.exe
PID 1688 wrote to memory of 2160	1688	10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe	cmd.exe
PID 1688 wrote to memory of 2160	1688	10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe	cmd.exe
PID 2160 wrote to memory of 584	2160	cmd.exe	chcp.com
PID 2160 wrote to memory of 584	2160	cmd.exe	chcp.com
PID 2160 wrote to memory of 584	2160	cmd.exe	chcp.com
PID 2160 wrote to memory of 584	2160	cmd.exe	chcp.com
PID 2160 wrote to memory of 684	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 684	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 684	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 684	2160	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10fb9b71859bfc7ae5aff462a88ade70_NeikiAnalytics.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Xu20wfX21GHc.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xu20wfX21GHc.bat

Filesize
244B

MD5
b18307e8a785e3dacdad0b3a23ec51a4

SHA1
8c249a911b03adcca4335bbaba1d9027cd5cf910

SHA256
618fc89a1a91e80daaf0c7f8e7cfe714627b14522263a38081e998ad79bfb2d5

SHA512
a4ced2c16fa9e8ef5b76582064a419ec1f3e9dad6e159a3d85810f471438b95ead5f250cde5e48d7a41acca29150ff1093f6eb2c44d34b6b0d3def8b73c03b2a

Download Submit
memory/1688-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000000B50000-0x0000000000BAE000-memory.dmp

Filesize
376KB

Download
memory/1688-2-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-3-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/1688-4-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-14-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download