quasar | c3ff697ffa3ccf61ac56655f9334a66645a1fb86274ea16ecf43b797a753e567

General

Target

2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe
Size

2.2MB
MD5

e19f2d8b706b8ae8390bcb5ee7b10d1f
SHA1

d1bf74445805bb2b9744aaf272e70166fe07bbfd
SHA256

c3ff697ffa3ccf61ac56655f9334a66645a1fb86274ea16ecf43b797a753e567
SHA512

6d74c88abc84eb7390a7c8245e8d5f4a361e293e07b49ff2b08021e5f864319faf6a1b886d628cb861d27baab9560a67521a9baa5f68e50f592663ead0ee8c68
SSDEEP

49152:BwN7fzYcFe7I3TEK24Y9/qTjtfdI7dHiCgqAmcP1Qy8rPGZfEvYENf/rHi1y:4YcFe8gT/qfJM9i8KuxKyp/rHis

Score

10^/10

quasar test1 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test1

C2

192.168.100.7:4782

192.168.100.1:4782

192.168.100.2:4782

192.168.100.3:4782

192.168.100.4:4782

192.168.100.5:4782

192.168.100.6:4782

192.168.100.8:4782

192.168.100.9:4782

Mutex

QSR_MUTEX_EUcqtx8KrCdmvD2YIx

Attributes

encryption_key
riVWKQv6KwgHqOuBNiok
install_name
Microsoft.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe	family_quasar
behavioral1/memory/2360-16-0x0000000001300000-0x000000000136C000-memory.dmp	family_quasar
behavioral1/memory/2524-25-0x0000000000310000-0x000000000037C000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2360-16-0x0000000001300000-0x000000000136C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2524-25-0x0000000000310000-0x000000000037C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables containing common artifacts observed in infostealers 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2360-16-0x0000000001300000-0x000000000136C000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2524-25-0x0000000000310000-0x000000000037C000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Executes dropped EXE 2 IoCs

Processes:

Microsoft.exeMicrosoft.exe

pid process

2360 Microsoft.exe
2524 Microsoft.exe
Loads dropped DLL 1 IoCs

Processes:

Microsoft.exe

pid process

2360 Microsoft.exe

pid	process
2360	Microsoft.exe
2524	Microsoft.exe

pid	process
2360	Microsoft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.exe\""	Microsoft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Windows\\SysWOW64\\SubDir\\Microsoft.exe\""	Microsoft.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

Microsoft.exeMicrosoft.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2536 schtasks.exe
2184 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Microsoft.exeMicrosoft.exe

description pid process

Token: SeDebugPrivilege 2360 Microsoft.exe
Token: SeDebugPrivilege 2524 Microsoft.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft.exe

pid process

2524 Microsoft.exe

pid	process
2536	schtasks.exe
2184	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2360	Microsoft.exe
Token: SeDebugPrivilege	2524	Microsoft.exe

pid	process
2524	Microsoft.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exeMicrosoft.exeMicrosoft.exe

description	pid	process	target process
PID 2128 wrote to memory of 2360	2128	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe	Microsoft.exe
PID 2128 wrote to memory of 2360	2128	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe	Microsoft.exe
PID 2128 wrote to memory of 2360	2128	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe	Microsoft.exe
PID 2128 wrote to memory of 2360	2128	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe	Microsoft.exe
PID 2360 wrote to memory of 2536	2360	Microsoft.exe	schtasks.exe
PID 2360 wrote to memory of 2536	2360	Microsoft.exe	schtasks.exe
PID 2360 wrote to memory of 2536	2360	Microsoft.exe	schtasks.exe
PID 2360 wrote to memory of 2536	2360	Microsoft.exe	schtasks.exe
PID 2360 wrote to memory of 2524	2360	Microsoft.exe	Microsoft.exe
PID 2360 wrote to memory of 2524	2360	Microsoft.exe	Microsoft.exe
PID 2360 wrote to memory of 2524	2360	Microsoft.exe	Microsoft.exe
PID 2360 wrote to memory of 2524	2360	Microsoft.exe	Microsoft.exe
PID 2524 wrote to memory of 2184	2524	Microsoft.exe	schtasks.exe
PID 2524 wrote to memory of 2184	2524	Microsoft.exe	schtasks.exe
PID 2524 wrote to memory of 2184	2524	Microsoft.exe	schtasks.exe
PID 2524 wrote to memory of 2184	2524	Microsoft.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2536

C:\Windows\SysWOW64\SubDir\Microsoft.exe
"C:\Windows\SysWOW64\SubDir\Microsoft.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Microsoft.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

Filesize
404KB

MD5
e170049e9b196df27c1f126e1c694f7e

SHA1
b4f82cca3a3430ff49eaacb4a4c15a360d3068f3

SHA256
1edd92518733782c94389dcc05c00457ef027717f31300d9d678179896f49540

SHA512
a83a5ece0bc0f6cc376b7fbd8f4c8c3b0911f807e52f3b0484acf02267cb680dbe93ff22a06ca5f7a86b8ed996bee8648013ce92082ce27b2d1658048df38512

Download Submit
memory/2128-4-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2360-15-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/2360-16-0x0000000001300000-0x000000000136C000-memory.dmp

Filesize
432KB

Download
memory/2360-17-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-26-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2524-25-0x0000000000310000-0x000000000037C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads