quasar | 43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

General

Target

Quasar.exe
Size

1.2MB
MD5

12ebf922aa80d13f8887e4c8c5e7be83
SHA1

7f87a80513e13efd45175e8f2511c2cd17ff51e8
SHA256

43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
SHA512

fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275
SSDEEP

12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/532-0-0x0000021867EC0000-0x0000021867FF8000-memory.dmp	family_quasar

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Modifies registry class 1 IoCs

Processes:

mspaint.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings mspaint.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4940 vlc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mspaint.exe

pid process

2840 mspaint.exe
2840 mspaint.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4940 vlc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Quasar.exeAUDIODG.EXE

description pid process

Token: SeDebugPrivilege 532 Quasar.exe
Token: 33 3404 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3404 AUDIODG.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	mspaint.exe

pid	process
2840	mspaint.exe
2840	mspaint.exe

description	pid	process
Token: SeDebugPrivilege	532	Quasar.exe
Token: 33	3404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3404	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

vlc.exe

pid	process
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

vlc.exe

pid	process
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe
4940	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

mspaint.exeOpenWith.exevlc.exe

pid process

2840 mspaint.exe
876 OpenWith.exe
4940 vlc.exe

pid	process
2840	mspaint.exe
876	OpenWith.exe
4940	vlc.exe

C:\Users\Admin\AppData\Local\Temp\Quasar.exe
"C:\Users\Admin\AppData\Local\Temp\Quasar.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1468

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:876

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Music\AddMerge.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-0-0x0000021867EC0000-0x0000021867FF8000-memory.dmp

Filesize
1.2MB

Download
memory/532-1-0x00007FFCD9673000-0x00007FFCD9675000-memory.dmp

Filesize
8KB

Download
memory/532-2-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/532-3-0x00007FFCD9670000-0x00007FFCDA131000-memory.dmp

Filesize
10.8MB

Download
memory/2740-8-0x000002A02BF90000-0x000002A02BFA0000-memory.dmp

Filesize
64KB

Download
memory/2740-4-0x000002A02BF50000-0x000002A02BF60000-memory.dmp

Filesize
64KB

Download
memory/2740-15-0x000002A034BE0000-0x000002A034BE1000-memory.dmp

Filesize
4KB

Download
memory/2740-17-0x000002A034C60000-0x000002A034C61000-memory.dmp

Filesize
4KB

Download
memory/2740-19-0x000002A034C60000-0x000002A034C61000-memory.dmp

Filesize
4KB

Download
memory/2740-20-0x000002A034CF0000-0x000002A034CF1000-memory.dmp

Filesize
4KB

Download
memory/2740-21-0x000002A034CF0000-0x000002A034CF1000-memory.dmp

Filesize
4KB

Download
memory/2740-22-0x000002A034D00000-0x000002A034D01000-memory.dmp

Filesize
4KB

Download
memory/2740-23-0x000002A034D00000-0x000002A034D01000-memory.dmp

Filesize
4KB

Download
memory/4940-48-0x00007FFCE8B30000-0x00007FFCE8B64000-memory.dmp

Filesize
208KB

Download
memory/4940-47-0x00007FF66A390000-0x00007FF66A488000-memory.dmp

Filesize
992KB

Download
memory/4940-49-0x00007FFCD3FA0000-0x00007FFCD4256000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads