quasar | de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336

Analysis

max time kernel
1s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynapseXBootstrapper.exe
Size

3.1MB
MD5

9434a1822088cedbce057d280c235864
SHA1

c09173a18e5ae2d9d38bd4d3d196adf1423f924e
SHA256

de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
SHA512

7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632
SSDEEP

49152:PvnI22SsaNYfdPBldt698dBcjHHeJ/uBx3ioGdyTHHB72eh2NT:PvI22SsaNYfdPBldt6+dBcjH4/X

Score

10^/10

quasar windows update spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

skbidiooiilet-31205.portmap.host:31205

Mutex

b2f09b33-2e5b-4ffa-afbf-3f1aaed274a6

Attributes

encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
Windows Update

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3360-1-0x0000000000BD0000-0x0000000000EF4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe	family_quasar

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3548 schtasks.exe
4796 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SynapseXBootstrapper.exe

description pid process

Token: SeDebugPrivilege 3360 SynapseXBootstrapper.exe

pid	process
3548	schtasks.exe
4796	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3360	SynapseXBootstrapper.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

SynapseXBootstrapper.exe

description	pid	process	target process
PID 3360 wrote to memory of 3548	3360	SynapseXBootstrapper.exe	schtasks.exe
PID 3360 wrote to memory of 3548	3360	SynapseXBootstrapper.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SynapseXBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseXBootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3548
- C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe
  "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"
  2⤵
  PID:2344
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe

Filesize
3.1MB

MD5
9434a1822088cedbce057d280c235864

SHA1
c09173a18e5ae2d9d38bd4d3d196adf1423f924e

SHA256
de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336

SHA512
7461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632

Download Submit
memory/2344-10-0x00007FF920A60000-0x00007FF921521000-memory.dmp

Filesize
10.8MB

Download
memory/2344-11-0x00007FF920A60000-0x00007FF921521000-memory.dmp

Filesize
10.8MB

Download
memory/2344-13-0x000000001BF80000-0x000000001C032000-memory.dmp

Filesize
712KB

Download
memory/2344-12-0x000000001B960000-0x000000001B9B0000-memory.dmp

Filesize
320KB

Download
memory/3360-1-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

Filesize
3.1MB

Download
memory/3360-0-0x00007FF920A63000-0x00007FF920A65000-memory.dmp

Filesize
8KB

Download
memory/3360-2-0x00007FF920A60000-0x00007FF921521000-memory.dmp

Filesize
10.8MB

Download
memory/3360-9-0x00007FF920A60000-0x00007FF921521000-memory.dmp

Filesize
10.8MB

Download