quasar | cb2efd76831c2dbf85368de55e298c290fa3d22f303745195c734ee4cf979c79

General

Target

37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe
Size

503KB
MD5

a760c4263a2d1e144c2fd116bf1351e1
SHA1

98da7637a98df832078ed0ec08d11d588223783e
SHA256

37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf
SHA512

ee8ff2686a4a95a779711ca3126423f769351de6b9e8a27d0ff0d78212e76ef703ada91778620799dd3dbe07cea840f7f44c65273278ea3b4f539274dbc806bf
SSDEEP

12288:+TEgdfY97axTU7H4TywQCngRnLN9cHcdA:bUwkyoywQCnkgcdA

Score

10^/10

quasar beobeo spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

BEOBEO

C2

222.253.182.185:9090

Mutex

b629c3f9-6e84-4b12-aa44-142bd48d26fe

Attributes

encryption_key
E3F9325FDCF7CBE474DB678812431E432D3171B2
install_name
Realtek HD Audio Universal Services.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek
subdirectory
Realtek HD Audio Universal Services

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000B50000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral1/files/0x000b00000001430e-5.dat	family_quasar
behavioral1/memory/2240-7-0x0000000000820000-0x00000000008A4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2240	Realtek HD Audio Universal Services.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe
2564	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe
Token: SeDebugPrivilege	2240	Realtek HD Audio Universal Services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	Realtek HD Audio Universal Services.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2592	2084	37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe	28
PID 2084 wrote to memory of 2592	2084	37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe	28
PID 2084 wrote to memory of 2592	2084	37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe	28
PID 2084 wrote to memory of 2240	2084	37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe	30
PID 2084 wrote to memory of 2240	2084	37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe	30
PID 2084 wrote to memory of 2240	2084	37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe	30
PID 2240 wrote to memory of 2564	2240	Realtek HD Audio Universal Services.exe	31
PID 2240 wrote to memory of 2564	2240	Realtek HD Audio Universal Services.exe	31
PID 2240 wrote to memory of 2564	2240	Realtek HD Audio Universal Services.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe
"C:\Users\Admin\AppData\Local\Temp\37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Realtek" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2592
- C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Services\Realtek HD Audio Universal Services.exe
  "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Services\Realtek HD Audio Universal Services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Realtek" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Services\Realtek HD Audio Universal Services.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Realtek HD Audio Universal Services\Realtek HD Audio Universal Services.exe

Filesize
503KB

MD5
a760c4263a2d1e144c2fd116bf1351e1

SHA1
98da7637a98df832078ed0ec08d11d588223783e

SHA256
37fa30c9dcf255bda62c0a6b7f88a48263a3da18d18d8c66b1cbbc801077cfdf

SHA512
ee8ff2686a4a95a779711ca3126423f769351de6b9e8a27d0ff0d78212e76ef703ada91778620799dd3dbe07cea840f7f44c65273278ea3b4f539274dbc806bf

Download Submit
memory/2084-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x0000000000B50000-0x0000000000BD4000-memory.dmp

Filesize
528KB

Download
memory/2084-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-9-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-7-0x0000000000820000-0x00000000008A4000-memory.dmp

Filesize
528KB

Download
memory/2240-8-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-10-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-11-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads