quasar | 149ef8e77fbe162157f8462892235211b9f926a3454d615ad4c59e854e48ec82

General

Target

Powershell.exe
Size

409KB
MD5

4286aedc2a233ab74deb2670fa484866
SHA1

860fdc6876a4948f5e352aa50910b9f13607c3fb
SHA256

149ef8e77fbe162157f8462892235211b9f926a3454d615ad4c59e854e48ec82
SHA512

fc3c7885a9f6af0a2d38375f1d256128a474a998c2359938955fff6e45d216dfa1942ccba2359b18f263219d95004b9e976524ef26c967c58cb29a7c6c93f097
SSDEEP

12288:UpsD64e1MDEArEiVTqkllSmxmeN1AKXiLNk2+XRnS:ksG4kMsaGkllvxvuKyZ1N

Score

10^/10

quasar seroxen | v3.1.5 |spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes

encryption_key
JCa22tR8WnO00adn2TuE
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4212-1-0x0000000000C30000-0x0000000000C9C000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

4568 SCHTASKS.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1732 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 4212 Powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Powershell.exe

pid process

4212 Powershell.exe

flow	ioc
1	ip-api.com

pid	process
4568	SCHTASKS.exe

pid	process
1732	PING.EXE

description	pid	process
Token: SeDebugPrivilege	4212	Powershell.exe

pid	process
4212	Powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Powershell.execmd.exe

description	pid	process	target process
PID 4212 wrote to memory of 3700	4212	Powershell.exe	cmd.exe
PID 4212 wrote to memory of 3700	4212	Powershell.exe	cmd.exe
PID 4212 wrote to memory of 3700	4212	Powershell.exe	cmd.exe
PID 3700 wrote to memory of 4976	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 4976	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 4976	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 1732	3700	cmd.exe	PING.EXE
PID 3700 wrote to memory of 1732	3700	cmd.exe	PING.EXE
PID 3700 wrote to memory of 1732	3700	cmd.exe	PING.EXE
PID 4212 wrote to memory of 4568	4212	Powershell.exe	SCHTASKS.exe
PID 4212 wrote to memory of 4568	4212	Powershell.exe	SCHTASKS.exe
PID 4212 wrote to memory of 4568	4212	Powershell.exe	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\Powershell.exe
"C:\Users\Admin\AppData\Local\Temp\Powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M5POQZ0q95oB.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4976

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:1732

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Powershell.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Powershell.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\M5POQZ0q95oB.bat
Filesize
267B

MD5
ed58a0ec543a10e4770a02f5eb821049

SHA1
356d8dd839a775171ed673e068f309faacd5cceb

SHA256
de4cf60589223d2096acc4efe2cc0f7da74cc8f7499750f5d30e81b8d72bb735

SHA512
1302583000186706a58abfb9adb005d5e9d814e79420839fb8f2a82809a0fc95c3afc7a265b2d706f8c7639a64c3cc2435c3ad031307e9f95a865ce42ce30a31

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-29-~1
Filesize
224B

MD5
294036c475b5452a28d1b14b404c26ac

SHA1
7ae1843dfddc3e38a71a89303b9743d5b233d62a

SHA256
421ad0c5b21b93fe4ed3ccb27a5bbbab5972e0e9d18ada5dfaf70bbbe765b91f

SHA512
4d536461556760cab92c4471b868c3ea0bd6d96a593eace1305974d14899201507af1eb97f35d6d8959c3fa228b06e7960d252507288374b314f6cfe7f78b954

Download Submit
memory/4212-6-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/4212-3-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4212-4-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/4212-5-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/4212-0-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

Filesize
4KB

Download
memory/4212-7-0x0000000006560000-0x000000000659E000-memory.dmp

Filesize
248KB

Download
memory/4212-9-0x0000000006C60000-0x0000000006C6A000-memory.dmp

Filesize
40KB

Download
memory/4212-10-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

Filesize
4KB

Download
memory/4212-11-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/4212-2-0x0000000005A50000-0x0000000005F4E000-memory.dmp

Filesize
5.0MB

Download
memory/4212-17-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/4212-1-0x0000000000C30000-0x0000000000C9C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads