quasar | 139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Token Generator.exe
Size

3.1MB
MD5

6d2ad4ada4961027832e557db06fc08d
SHA1

816018499f5e291850d7dd2a0d15c914e5607630
SHA256

139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e
SHA512

1d99985c99fa16f712eee5604279463e18e77532e7a1586651178685ef38ba25b099c393edc44f2703d7e9f4ce7596b86ba3d9f0e00119e13474816a2186f241
SSDEEP

49152:uvSI22SsaNYfdPBldt698dBcjH9tDSh1J6LoGdLlTHHB72eh2NT:uv/22SsaNYfdPBldt6+dBcjHTDSG

Score

10^/10

quasar token gen spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Token Gen

uk2.localto.net:6103

Mutex

0c14e9f2-6918-4e50-8463-04ad871c1e3d

Attributes

encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
install_name
$77-powershell.exe
log_directory
$77-Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
$77-Rootkit

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1544-1-0x0000000000740000-0x0000000000A64000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

$77-powershell.exe

pid process

4972 $77-powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4748 schtasks.exe
4352 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Token Generator.exe$77-powershell.exe

description pid process

Token: SeDebugPrivilege 1544 Token Generator.exe
Token: SeDebugPrivilege 4972 $77-powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77-powershell.exe

pid process

4972 $77-powershell.exe

pid	process
4972	$77-powershell.exe

pid	process
4748	schtasks.exe
4352	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1544	Token Generator.exe
Token: SeDebugPrivilege	4972	$77-powershell.exe

pid	process
4972	$77-powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Token Generator.exe$77-powershell.exe

description	pid	process	target process
PID 1544 wrote to memory of 4352	1544	Token Generator.exe	schtasks.exe
PID 1544 wrote to memory of 4352	1544	Token Generator.exe	schtasks.exe
PID 1544 wrote to memory of 4972	1544	Token Generator.exe	$77-powershell.exe
PID 1544 wrote to memory of 4972	1544	Token Generator.exe	$77-powershell.exe
PID 4972 wrote to memory of 4748	4972	$77-powershell.exe	schtasks.exe
PID 4972 wrote to memory of 4748	4972	$77-powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Token Generator.exe
"C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4352

C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe
"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4836,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe
Filesize
3.1MB

MD5
6d2ad4ada4961027832e557db06fc08d

SHA1
816018499f5e291850d7dd2a0d15c914e5607630

SHA256
139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e

SHA512
1d99985c99fa16f712eee5604279463e18e77532e7a1586651178685ef38ba25b099c393edc44f2703d7e9f4ce7596b86ba3d9f0e00119e13474816a2186f241

Download Submit
memory/1544-0-0x00007FFCAD333000-0x00007FFCAD335000-memory.dmp

Filesize
8KB

Download
memory/1544-1-0x0000000000740000-0x0000000000A64000-memory.dmp

Filesize
3.1MB

Download
memory/1544-2-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-10-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-9-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-11-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-12-0x000000001BB60000-0x000000001BBB0000-memory.dmp

Filesize
320KB

Download
memory/4972-13-0x000000001BC70000-0x000000001BD22000-memory.dmp

Filesize
712KB

Download
memory/4972-14-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download