quasar | d0397cc6f8f74d67be54ba27842dcf8ebf8cf5515b3ca63d373ef9b7087b14cd

General

Target

Ratlol.exe
Size

3.1MB
MD5

00d91ad6e1ab33673de0fa1fcc40b3d9
SHA1

238265a76591f9ed06fdfdb3ae0414d72f5ee804
SHA256

d0397cc6f8f74d67be54ba27842dcf8ebf8cf5515b3ca63d373ef9b7087b14cd
SHA512

82a446bf9696467be5b51230dbd2c5c48e48e0c844f3e08e8a1fc5c094eb9cb63d1fd723fb8eda0992f8509eb8a5a1a71b9a9dd65549d7f7f0e0f4614feeb9e0
SSDEEP

49152:Ev8Y52fyaSZOrPWluWBuGG5g5h3NR16+bR3QoGdYTHHB72eh2NT:EvF52fyaSZOrPWluWBDG5g5h3NR16n

Score

10^/10

quasar sigma spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Sigma

C2

idk:4782

Mutex

5c7d6a36-dffc-4ec3-8525-ba9161772945

Attributes

encryption_key
7930C3883BFB3E417BEC9036B64E581CD2465EFE
install_name
Ratlol.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Balls
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3748-1-0x0000000000B60000-0x0000000000E84000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Ratlol.exe

pid process

2400 Ratlol.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

980 schtasks.exe
4308 schtasks.exe
1300 schtasks.exe
164 schtasks.exe
3616 schtasks.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3984 PING.EXE
2452 PING.EXE
1836 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Ratlol.exeRatlol.exe

description pid process

Token: SeDebugPrivilege 3748 Ratlol.exe
Token: SeDebugPrivilege 2400 Ratlol.exe

pid	process
2400	Ratlol.exe

pid	process
980	schtasks.exe
4308	schtasks.exe
1300	schtasks.exe
164	schtasks.exe
3616	schtasks.exe

pid	process
3984	PING.EXE
2452	PING.EXE
1836	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3748	Ratlol.exe
Token: SeDebugPrivilege	2400	Ratlol.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Ratlol.exeRatlol.exe

description	pid	process	target process
PID 3748 wrote to memory of 164	3748	Ratlol.exe	schtasks.exe
PID 3748 wrote to memory of 164	3748	Ratlol.exe	schtasks.exe
PID 3748 wrote to memory of 2400	3748	Ratlol.exe	Ratlol.exe
PID 3748 wrote to memory of 2400	3748	Ratlol.exe	Ratlol.exe
PID 2400 wrote to memory of 3616	2400	Ratlol.exe	schtasks.exe
PID 2400 wrote to memory of 3616	2400	Ratlol.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ratlol.exe
"C:\Users\Admin\AppData\Local\Temp\Ratlol.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:164

C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1bw2suixlcBL.bat" "
3⤵
PID:528

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3924

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3984

C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
4⤵
PID:4716

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B7DVKiyAKNS.bat" "
5⤵
PID:1900

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4596

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2452

C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
6⤵
PID:1376

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tHN9jb0rQTQz.bat" "
7⤵
PID:1860

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3456

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1836

C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
8⤵
PID:2788

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1300

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ratlol.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bw2suixlcBL.bat
Filesize
207B

MD5
3a8b1de46f2a49724372c5531ccbb575

SHA1
5907dc43b6bfb900e60b00f518e60d5a9f707073

SHA256
8d9aba7cb3007d0cd63dd6a11d529181bf6f4b62656d57ce42bc45bb74a60f70

SHA512
531b2d20262d8f9630d64942caee123e55b3b3e33ce25625500ad7d07cbff6889ddd204aa9614f64afcaa68740da02c6d4994dc93abd28f0d96c2fc3b76221bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B7DVKiyAKNS.bat
Filesize
207B

MD5
36ff718798703526854e76bc7c6a44de

SHA1
8a7df1db116584544566333fee09325b8f28682c

SHA256
1aab5f8c798e29db35da08dd4d61cb4dc2caa7d30e7357b3d9bcea61be34d2ff

SHA512
fb1258e3d724d46b1f62b56f2d9d69726751291a9bcfd57e0e272981779be4d1d6ff3f5c9e73e3e3aadba3f9e1d90ba4ff2271f3e3e0e9cba464f025d60681fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tHN9jb0rQTQz.bat
Filesize
207B

MD5
3ec498e70c9e73b49cccfb1a189f7bf3

SHA1
43a920311444201a6960b370b2e8a6facc7af38e

SHA256
8de0e94e7c20621d79f0cb84000710fe3920d900f324e679229f3a75fe459c0b

SHA512
fcc7571ae80efe3086753cb3b1395c2d2ed932eb6a3741566acd48eaf64cbc525286e9ef23b63c805775bb1bfe65466471f76d2edb8ceb6aedfd3b21ee6634ff

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
Filesize
655KB

MD5
4d34fb2508c3cc5668544557f8f9b1c5

SHA1
cb49c9db36a443f7a63e84495662e6abb04f1f39

SHA256
f778fa96479a8e72de1408fe8863ee8563cea9bf7955f074714db0874c712c66

SHA512
10fe73196a499ef3027894fddf2f9f2f85a4d3d2e1106b15e347cbdd0f8be1420bcda881d6caf3ca95512cef3ba9536b46409d7fc96d3a7bf6f4d6ad0c3d0acb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
Filesize
3.1MB

MD5
00d91ad6e1ab33673de0fa1fcc40b3d9

SHA1
238265a76591f9ed06fdfdb3ae0414d72f5ee804

SHA256
d0397cc6f8f74d67be54ba27842dcf8ebf8cf5515b3ca63d373ef9b7087b14cd

SHA512
82a446bf9696467be5b51230dbd2c5c48e48e0c844f3e08e8a1fc5c094eb9cb63d1fd723fb8eda0992f8509eb8a5a1a71b9a9dd65549d7f7f0e0f4614feeb9e0

Download Submit
memory/2400-11-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-12-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-13-0x000000001BFE0000-0x000000001C030000-memory.dmp

Filesize
320KB

Download
memory/2400-14-0x000000001C0F0000-0x000000001C1A2000-memory.dmp

Filesize
712KB

Download
memory/2400-19-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp

Filesize
9.9MB

Download
memory/3748-0-0x00007FFFB6A63000-0x00007FFFB6A64000-memory.dmp

Filesize
4KB

Download
memory/3748-10-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp

Filesize
9.9MB

Download
memory/3748-2-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp

Filesize
9.9MB

Download
memory/3748-1-0x0000000000B60000-0x0000000000E84000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads