quasar | 6526c22d7ce386857149b6b5615c1c24cab7691496a1d3d849ead5d3e0b7b0c7

General

Target

Uni.exe
Size

409KB
MD5

78f15f52152da9355915d646d5f4f1e6
SHA1

514623af0d40968570977bb0993bc775b5dcb6cb
SHA256

6526c22d7ce386857149b6b5615c1c24cab7691496a1d3d849ead5d3e0b7b0c7
SHA512

13752ce045c2f7f0be187a6688b4032579fce7f17e8b77f66f192ee472aa58e60a1c5ea34dd85cb704e621afe4f228df880536159a7a907c41fbfeba3180a87d
SSDEEP

12288:ypbJjGukXuXQiwWlaJKwuKOASp2uLBUS:2VauOWERPIpB

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
PXEHWy52mqnqS2Hd39SK
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1836-1-0x00000000006C0000-0x000000000072C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exe7ow0o4SyvjN4.exe

pid process

1912 Client.exe
4604 7ow0o4SyvjN4.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

2864 schtasks.exe
3252 SCHTASKS.exe
3196 schtasks.exe

pid	process
1912	Client.exe
4604	7ow0o4SyvjN4.exe

flow	ioc
7	ip-api.com

pid	process
2864	schtasks.exe
3252	SCHTASKS.exe
3196	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Uni.exeClient.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1836	Uni.exe
Token: SeDebugPrivilege	1912	Client.exe
Token: 33	3980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3980	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exe7ow0o4SyvjN4.exe

pid process

1912 Client.exe
4604 7ow0o4SyvjN4.exe

pid	process
1912	Client.exe
4604	7ow0o4SyvjN4.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Uni.exeClient.exe

description	pid	process	target process
PID 1836 wrote to memory of 2864	1836	Uni.exe	schtasks.exe
PID 1836 wrote to memory of 2864	1836	Uni.exe	schtasks.exe
PID 1836 wrote to memory of 2864	1836	Uni.exe	schtasks.exe
PID 1836 wrote to memory of 1912	1836	Uni.exe	Client.exe
PID 1836 wrote to memory of 1912	1836	Uni.exe	Client.exe
PID 1836 wrote to memory of 1912	1836	Uni.exe	Client.exe
PID 1836 wrote to memory of 3252	1836	Uni.exe	SCHTASKS.exe
PID 1836 wrote to memory of 3252	1836	Uni.exe	SCHTASKS.exe
PID 1836 wrote to memory of 3252	1836	Uni.exe	SCHTASKS.exe
PID 1912 wrote to memory of 3196	1912	Client.exe	schtasks.exe
PID 1912 wrote to memory of 3196	1912	Client.exe	schtasks.exe
PID 1912 wrote to memory of 3196	1912	Client.exe	schtasks.exe
PID 1912 wrote to memory of 4604	1912	Client.exe	7ow0o4SyvjN4.exe
PID 1912 wrote to memory of 4604	1912	Client.exe	7ow0o4SyvjN4.exe
PID 1912 wrote to memory of 4604	1912	Client.exe	7ow0o4SyvjN4.exe

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2864

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3196

C:\Users\Admin\AppData\Local\Temp\7ow0o4SyvjN4.exe
"C:\Users\Admin\AppData\Local\Temp\7ow0o4SyvjN4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ow0o4SyvjN4.exe
Filesize
276KB

MD5
120f3a38b2f4eb0f800ebe47ffa5e76b

SHA1
bed5148cc6a53e12a86ed635bb79135a568edd78

SHA256
3a195d762fd1e2f7f93eb4cbcef8fa9b600a6f94fc43b1c1c157b2c5e069154f

SHA512
60e66274203624afa422578d9807b21cbcc99de855dd665aa54753c957886677e358a2579ade098970c7ea3f9c3f2476c9e028fdabaac6ee991f09093fa52aff

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
78f15f52152da9355915d646d5f4f1e6

SHA1
514623af0d40968570977bb0993bc775b5dcb6cb

SHA256
6526c22d7ce386857149b6b5615c1c24cab7691496a1d3d849ead5d3e0b7b0c7

SHA512
13752ce045c2f7f0be187a6688b4032579fce7f17e8b77f66f192ee472aa58e60a1c5ea34dd85cb704e621afe4f228df880536159a7a907c41fbfeba3180a87d

Download Submit
memory/1836-4-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/1836-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/1836-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1836-5-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/1836-6-0x0000000005E50000-0x0000000005E62000-memory.dmp

Filesize
72KB

Download
memory/1836-7-0x0000000006390000-0x00000000063CC000-memory.dmp

Filesize
240KB

Download
memory/1836-2-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/1836-3-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/1836-1-0x00000000006C0000-0x000000000072C000-memory.dmp

Filesize
432KB

Download
memory/1912-13-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-18-0x00000000068F0000-0x00000000068FA000-memory.dmp

Filesize
40KB

Download
memory/1912-19-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-20-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-14-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads