quasar | 55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d

General

Target

Dishkum Tena.exe
Size

3.1MB
MD5

36970784c3736c71546d73e0773ee956
SHA1

2d09c257a3e09b079d23520400953bafc495e06e
SHA256

55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d
SHA512

6f0fd26eb7f2b64c875f7021f82ddf8240beaba804a6649404ac8e33115d1372dc53cae94e242b1a77a4bf86f4836bc072b9e64563204b591d03357d3c82be2c
SSDEEP

49152:Gvht62XlaSFNWPjljiFa2RoUYI1C91JgLoGd9hTHHB72eh2NT:GvL62XlaSFNWPjljiFXRoUYI1CE

Score

10^/10

quasar dani69 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Dani69

C2

192.168.1.2:4782

Mutex

9f26ad88-50ee-4f62-81ff-c770a798a67c

Attributes

encryption_key
81B07382BFEB227CBA1AE8701042E7A26708E9ED
install_name
Dani69.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Dani69
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-1-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe	family_quasar
behavioral1/memory/2936-10-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Dani69.exe

pid process

2936 Dani69.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1540 schtasks.exe
2108 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Dishkum Tena.exeDani69.exe

description pid process

Token: SeDebugPrivilege 2204 Dishkum Tena.exe
Token: SeDebugPrivilege 2936 Dani69.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Dani69.exe

pid process

2936 Dani69.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Dani69.exe

pid process

2936 Dani69.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Dani69.exe

pid process

2936 Dani69.exe

pid	process
2936	Dani69.exe

pid	process
1540	schtasks.exe
2108	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2204	Dishkum Tena.exe
Token: SeDebugPrivilege	2936	Dani69.exe

pid	process
2936	Dani69.exe

pid	process
2936	Dani69.exe

pid	process
2936	Dani69.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Dishkum Tena.exeDani69.exe

description	pid	process	target process
PID 2204 wrote to memory of 1540	2204	Dishkum Tena.exe	schtasks.exe
PID 2204 wrote to memory of 1540	2204	Dishkum Tena.exe	schtasks.exe
PID 2204 wrote to memory of 1540	2204	Dishkum Tena.exe	schtasks.exe
PID 2204 wrote to memory of 2936	2204	Dishkum Tena.exe	Dani69.exe
PID 2204 wrote to memory of 2936	2204	Dishkum Tena.exe	Dani69.exe
PID 2204 wrote to memory of 2936	2204	Dishkum Tena.exe	Dani69.exe
PID 2936 wrote to memory of 2108	2936	Dani69.exe	schtasks.exe
PID 2936 wrote to memory of 2108	2936	Dani69.exe	schtasks.exe
PID 2936 wrote to memory of 2108	2936	Dani69.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Dishkum Tena.exe
"C:\Users\Admin\AppData\Local\Temp\Dishkum Tena.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dani69" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1540

C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Dani69" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe
Filesize
3.1MB

MD5
36970784c3736c71546d73e0773ee956

SHA1
2d09c257a3e09b079d23520400953bafc495e06e

SHA256
55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d

SHA512
6f0fd26eb7f2b64c875f7021f82ddf8240beaba804a6649404ac8e33115d1372dc53cae94e242b1a77a4bf86f4836bc072b9e64563204b591d03357d3c82be2c

Download Submit
memory/2204-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download
memory/2204-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-9-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-8-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-11-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-10-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/2936-13-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-14-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads