quasar | c3ff697ffa3ccf61ac56655f9334a66645a1fb86274ea16ecf43b797a753e567

General

Target

2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe
Size

2.2MB
MD5

e19f2d8b706b8ae8390bcb5ee7b10d1f
SHA1

d1bf74445805bb2b9744aaf272e70166fe07bbfd
SHA256

c3ff697ffa3ccf61ac56655f9334a66645a1fb86274ea16ecf43b797a753e567
SHA512

6d74c88abc84eb7390a7c8245e8d5f4a361e293e07b49ff2b08021e5f864319faf6a1b886d628cb861d27baab9560a67521a9baa5f68e50f592663ead0ee8c68
SSDEEP

49152:BwN7fzYcFe7I3TEK24Y9/qTjtfdI7dHiCgqAmcP1Qy8rPGZfEvYENf/rHi1y:4YcFe8gT/qfJM9i8KuxKyp/rHis

Score

10^/10

quasar test1 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test1

C2

192.168.100.7:4782

192.168.100.1:4782

192.168.100.2:4782

192.168.100.3:4782

192.168.100.4:4782

192.168.100.5:4782

192.168.100.6:4782

192.168.100.8:4782

192.168.100.9:4782

Mutex

QSR_MUTEX_EUcqtx8KrCdmvD2YIx

Attributes

encryption_key
riVWKQv6KwgHqOuBNiok
install_name
Microsoft.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe	family_quasar
behavioral2/memory/3224-15-0x0000000000A10000-0x0000000000A7C000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3224-15-0x0000000000A10000-0x0000000000A7C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables containing common artifacts observed in infostealers 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral2/memory/3224-15-0x0000000000A10000-0x0000000000A7C000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe

Executes dropped EXE 2 IoCs

Processes:

Microsoft.exeMicrosoft.exe

pid process

3224 Microsoft.exe
1172 Microsoft.exe

pid	process
3224	Microsoft.exe
1172	Microsoft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.exe\""	Microsoft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Windows\\SysWOW64\\SubDir\\Microsoft.exe\""	Microsoft.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com

flow	ioc
20	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

Microsoft.exeMicrosoft.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3564 schtasks.exe
1076 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Microsoft.exeMicrosoft.exe

description pid process

Token: SeDebugPrivilege 3224 Microsoft.exe
Token: SeDebugPrivilege 1172 Microsoft.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft.exe

pid process

1172 Microsoft.exe

pid	process
3564	schtasks.exe
1076	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3224	Microsoft.exe
Token: SeDebugPrivilege	1172	Microsoft.exe

pid	process
1172	Microsoft.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exeMicrosoft.exeMicrosoft.exe

description	pid	process	target process
PID 3088 wrote to memory of 3224	3088	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe	Microsoft.exe
PID 3088 wrote to memory of 3224	3088	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe	Microsoft.exe
PID 3088 wrote to memory of 3224	3088	2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe	Microsoft.exe
PID 3224 wrote to memory of 3564	3224	Microsoft.exe	schtasks.exe
PID 3224 wrote to memory of 3564	3224	Microsoft.exe	schtasks.exe
PID 3224 wrote to memory of 3564	3224	Microsoft.exe	schtasks.exe
PID 3224 wrote to memory of 1172	3224	Microsoft.exe	Microsoft.exe
PID 3224 wrote to memory of 1172	3224	Microsoft.exe	Microsoft.exe
PID 3224 wrote to memory of 1172	3224	Microsoft.exe	Microsoft.exe
PID 1172 wrote to memory of 1076	1172	Microsoft.exe	schtasks.exe
PID 1172 wrote to memory of 1076	1172	Microsoft.exe	schtasks.exe
PID 1172 wrote to memory of 1076	1172	Microsoft.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3564

C:\Windows\SysWOW64\SubDir\Microsoft.exe
"C:\Windows\SysWOW64\SubDir\Microsoft.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Microsoft.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
Filesize
404KB

MD5
e170049e9b196df27c1f126e1c694f7e

SHA1
b4f82cca3a3430ff49eaacb4a4c15a360d3068f3

SHA256
1edd92518733782c94389dcc05c00457ef027717f31300d9d678179896f49540

SHA512
a83a5ece0bc0f6cc376b7fbd8f4c8c3b0911f807e52f3b0484acf02267cb680dbe93ff22a06ca5f7a86b8ed996bee8648013ce92082ce27b2d1658048df38512

Download Submit
memory/1172-30-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/3224-14-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/3224-15-0x0000000000A10000-0x0000000000A7C000-memory.dmp

Filesize
432KB

Download
memory/3224-16-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/3224-17-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/3224-18-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/3224-19-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/3224-20-0x00000000058E0000-0x00000000058F2000-memory.dmp

Filesize
72KB

Download
memory/3224-21-0x00000000066D0000-0x000000000670C000-memory.dmp

Filesize
240KB

Download
memory/3224-28-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads