quasar | 9b87f3813641da8be21f130cdd5cb52c2f8ae5494a408d2303f9770b7f3039d8

Analysis

max time kernel
59s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 18:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SiHost.exe
Size

348KB
MD5

c6250d3d376c1956627bf8f4f827bbd6
SHA1

7444e248bc182e849556cfa3c2519e30ae8ee82f
SHA256

9b87f3813641da8be21f130cdd5cb52c2f8ae5494a408d2303f9770b7f3039d8
SHA512

8de084cac0e01c8d5b1c8e5443ef97a1412bb4b7ed41d1e4c5e1b5e40750b0bb6d06c9a3b16e325ca8bbe260397ee130560d0d699ff302f2ef5f8196231fa44e
SSDEEP

6144:ON13U1vhtvTA1B3jZwIbmXtNx47cSm3Bs3:iUJtLAX3jMXtNyw3Bs3

Score

10^/10

quasar farrag spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Farrag

17.ip.gl.ply.gg:33386

Mutex

QSR_MUTEX_4Q6TQpIEBpG4GGALTz

Attributes

encryption_key
qZ74sJrr75km6SoIX0sF
install_name
SiHost.exe
log_directory
SiHost
reconnect_delay
3000
startup_key
SiHost
subdirectory
SiHost

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2588-1-0x00000000002A0000-0x00000000002FE000-memory.dmp	family_quasar
behavioral2/files/0x00070000000233f6-12.dat	family_quasar

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SiHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SiHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SiHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SiHost.exe

Executes dropped EXE 4 IoCs

pid	Process
5084	SiHost.exe
2504	SiHost.exe
3460	SiHost.exe
5116	SiHost.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
2	ip-api.com
8	api.ipify.org

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SiHost\SiHost.exe	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost\SiHost.exe	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost\SiHost.exe	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost\SiHost.exe	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost\SiHost.exe	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost\SiHost.exe	SiHost.exe
File opened for modification	C:\Windows\SysWOW64\SiHost	SiHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1688	5084	WerFault.exe	86
1376	2504	WerFault.exe	97
4548	3460	WerFault.exe	109
3596	5116	WerFault.exe	120

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe
2924	schtasks.exe
3752	schtasks.exe
4784	schtasks.exe
3208	schtasks.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4560	PING.EXE
4832	PING.EXE
4100	PING.EXE
3724	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	SiHost.exe
Token: SeDebugPrivilege	5084	SiHost.exe
Token: SeDebugPrivilege	2504	SiHost.exe
Token: SeDebugPrivilege	3460	SiHost.exe
Token: SeDebugPrivilege	5116	SiHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5084	SiHost.exe
2504	SiHost.exe
3460	SiHost.exe
5116	SiHost.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4784	2588	SiHost.exe	84
PID 2588 wrote to memory of 4784	2588	SiHost.exe	84
PID 2588 wrote to memory of 4784	2588	SiHost.exe	84
PID 2588 wrote to memory of 5084	2588	SiHost.exe	86
PID 2588 wrote to memory of 5084	2588	SiHost.exe	86
PID 2588 wrote to memory of 5084	2588	SiHost.exe	86
PID 5084 wrote to memory of 3208	5084	SiHost.exe	87
PID 5084 wrote to memory of 3208	5084	SiHost.exe	87
PID 5084 wrote to memory of 3208	5084	SiHost.exe	87
PID 5084 wrote to memory of 4696	5084	SiHost.exe	89
PID 5084 wrote to memory of 4696	5084	SiHost.exe	89
PID 5084 wrote to memory of 4696	5084	SiHost.exe	89
PID 4696 wrote to memory of 3848	4696	cmd.exe	92
PID 4696 wrote to memory of 3848	4696	cmd.exe	92
PID 4696 wrote to memory of 3848	4696	cmd.exe	92
PID 4696 wrote to memory of 4560	4696	cmd.exe	94
PID 4696 wrote to memory of 4560	4696	cmd.exe	94
PID 4696 wrote to memory of 4560	4696	cmd.exe	94
PID 4696 wrote to memory of 2504	4696	cmd.exe	97
PID 4696 wrote to memory of 2504	4696	cmd.exe	97
PID 4696 wrote to memory of 2504	4696	cmd.exe	97
PID 2504 wrote to memory of 2852	2504	SiHost.exe	98
PID 2504 wrote to memory of 2852	2504	SiHost.exe	98
PID 2504 wrote to memory of 2852	2504	SiHost.exe	98
PID 2504 wrote to memory of 4552	2504	SiHost.exe	100
PID 2504 wrote to memory of 4552	2504	SiHost.exe	100
PID 2504 wrote to memory of 4552	2504	SiHost.exe	100
PID 4552 wrote to memory of 1020	4552	cmd.exe	103
PID 4552 wrote to memory of 1020	4552	cmd.exe	103
PID 4552 wrote to memory of 1020	4552	cmd.exe	103
PID 4552 wrote to memory of 4832	4552	cmd.exe	105
PID 4552 wrote to memory of 4832	4552	cmd.exe	105
PID 4552 wrote to memory of 4832	4552	cmd.exe	105
PID 4552 wrote to memory of 3460	4552	cmd.exe	109
PID 4552 wrote to memory of 3460	4552	cmd.exe	109
PID 4552 wrote to memory of 3460	4552	cmd.exe	109
PID 3460 wrote to memory of 2924	3460	SiHost.exe	110
PID 3460 wrote to memory of 2924	3460	SiHost.exe	110
PID 3460 wrote to memory of 2924	3460	SiHost.exe	110
PID 3460 wrote to memory of 4564	3460	SiHost.exe	112
PID 3460 wrote to memory of 4564	3460	SiHost.exe	112
PID 3460 wrote to memory of 4564	3460	SiHost.exe	112
PID 4564 wrote to memory of 5044	4564	cmd.exe	115
PID 4564 wrote to memory of 5044	4564	cmd.exe	115
PID 4564 wrote to memory of 5044	4564	cmd.exe	115
PID 4564 wrote to memory of 4100	4564	cmd.exe	117
PID 4564 wrote to memory of 4100	4564	cmd.exe	117
PID 4564 wrote to memory of 4100	4564	cmd.exe	117
PID 4564 wrote to memory of 5116	4564	cmd.exe	120
PID 4564 wrote to memory of 5116	4564	cmd.exe	120
PID 4564 wrote to memory of 5116	4564	cmd.exe	120
PID 5116 wrote to memory of 3752	5116	SiHost.exe	121
PID 5116 wrote to memory of 3752	5116	SiHost.exe	121
PID 5116 wrote to memory of 3752	5116	SiHost.exe	121
PID 5116 wrote to memory of 4676	5116	SiHost.exe	123
PID 5116 wrote to memory of 4676	5116	SiHost.exe	123
PID 5116 wrote to memory of 4676	5116	SiHost.exe	123
PID 4676 wrote to memory of 3756	4676	cmd.exe	126
PID 4676 wrote to memory of 3756	4676	cmd.exe	126
PID 4676 wrote to memory of 3756	4676	cmd.exe	126
PID 4676 wrote to memory of 3724	4676	cmd.exe	128
PID 4676 wrote to memory of 3724	4676	cmd.exe	128
PID 4676 wrote to memory of 3724	4676	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\SiHost.exe
"C:\Users\Admin\AppData\Local\Temp\SiHost.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "SiHost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\SiHost.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4784
- C:\Windows\SysWOW64\SiHost\SiHost.exe
  "C:\Windows\SysWOW64\SiHost\SiHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "SiHost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SiHost\SiHost.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKrnl0k8GBSB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:4560
  - - C:\Windows\SysWOW64\SiHost\SiHost.exe
      "C:\Windows\SysWOW64\SiHost\SiHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "SiHost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SiHost\SiHost.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o8ZKNqSGSdIT.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1020
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4832
      - C:\Windows\SysWOW64\SiHost\SiHost.exe
        
        "C:\Windows\SysWOW64\SiHost\SiHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "SiHost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SiHost\SiHost.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BVzvQpHYHkNA.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4100
        
        C:\Windows\SysWOW64\SiHost\SiHost.exe
        
        "C:\Windows\SysWOW64\SiHost\SiHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "SiHost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SiHost\SiHost.exe" /rl HIGHEST /f
        9⤵
        Creates scheduled task(s)
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOYLE0ivmpLl.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 2176
        9⤵
        Program crash
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1608
        7⤵
        Program crash
        
        PID:4548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1632
        5⤵
        Program crash
        
        PID:1376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1900
    3⤵
    - Program crash
    PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2504 -ip 2504
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3460 -ip 3460
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5116 -ip 5116
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SiHost.exe.log

Filesize
1KB

MD5
8013ca45a4b68a281377f2c7b517ac8a

SHA1
aff79b7c8f408e5ae6f00cf9d83e2fd95d9affc3

SHA256
234381ea204c431d0936c4141a38381629938e4f5d40dd0ef01de6a282abbae7

SHA512
428305df713c12d2165303a9b0433c83a0e3f3088a9551deb6403e9351814c38c2377e7c22ede57bcd23ca764e02fce431c52aba6bf4b998b89a518129fda2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVzvQpHYHkNA.bat

Filesize
196B

MD5
7a3145f8fcf844ae3cd8bce488b60685

SHA1
d1ab6a80df2f019ded64338bc98d34edcf3f63f7

SHA256
30a2624ed8c06fc5ecc054a263ceb0fca999b17d1bb489d6af4d4af44d114b0f

SHA512
e3094f16c77ba51b91e18918b965a811052082f6b4cf8bd2d8229273b146110a8f188b0af32068ad95497676f0604bc293b29e8d4cdc44824e5e7b718bed856d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKrnl0k8GBSB.bat

Filesize
196B

MD5
9a179e54e5f42c940f68265b1a010f12

SHA1
a7fbd764dbfb8690e869c77118f170904f735650

SHA256
02d98ead6bd1cc559bfd008615a100dfc6834e431fe38213d57f18113a785009

SHA512
4f692d44c7edfa818f2652abe36a84a881c4f152e991c4fcac2050f4d0fee05e2a1bc50f01d84d5a5704d5dde32d075ee11ca54ab47aeb97b5b1b0f590470837

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOYLE0ivmpLl.bat

Filesize
196B

MD5
56ea296d68eb8828b087eb0711690280

SHA1
e3abc765e1097a5d57315b555286ac108eed1339

SHA256
049a89376aab73510461b36908282bf979269b4720f662544820d1e1c2eb34cb

SHA512
75fcad899ce959f1b6c77ec912239f052774912cb407d0a8eb987d8ca5dba1afed8fd6dde10ef9f189ecc6ef3094c3c87e4aa1525a018fa86bec124eb43a3e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\o8ZKNqSGSdIT.bat

Filesize
196B

MD5
bb19e42226c14be82c8646d29d67158f

SHA1
1a40c876ac6aece0c69771847394b0e18a5dab1a

SHA256
0ba3f1e1ed33d974aaf3aa132edad24c3e0612df2b2057e5f435721788f240d1

SHA512
d39a00af4a3e8f3632ab18633a35e76ef7e308454b3bb2fcdcacea562f5e029c16fb40d00c3fb5f0f5ae17e8eb57dfdc2dc51b7d6bc1b790e828275d09024037

Download Submit
C:\Users\Admin\AppData\Roaming\SiHost\06-14-2024

Filesize
224B

MD5
5fc8a9e1cd94300dfdcc56daf7f09f6f

SHA1
5ad184e69d7f86bac22bbd4c0ff6d7852875547c

SHA256
b09e643e004e4dff5e018f61cb858004296e0f4fc0d04a392fb9cbbcc996df5f

SHA512
ad9df377782985b88e4c9b46a742d38348833d8707fe9638d8f0eb012e0a79fcafe60c4e2607732e731f5b6e5003f1dd1ba3f616b2e71866d4ff437f0fd3d8ec

Download Submit
C:\Users\Admin\AppData\Roaming\SiHost\06-14-2024

Filesize
224B

MD5
1b9ffb5305dabaabc6e5caa5e10791ed

SHA1
dfbd1dd0d856ddb793f73ccbdf7330358e0b4a04

SHA256
2b07b6fd046e3a08bda5b2431592c330c0767aa8c44d07a7934c907848772429

SHA512
1a3f13b688ff3a8fc3ac38180a3848a31c20858238546865e459496a5d865d7f3296de73e48d55a7c4da48cb80e91e307fc53ead1f232198bcff9507ba2a35a9

Download Submit
C:\Windows\SysWOW64\SiHost\SiHost.exe

Filesize
348KB

MD5
c6250d3d376c1956627bf8f4f827bbd6

SHA1
7444e248bc182e849556cfa3c2519e30ae8ee82f

SHA256
9b87f3813641da8be21f130cdd5cb52c2f8ae5494a408d2303f9770b7f3039d8

SHA512
8de084cac0e01c8d5b1c8e5443ef97a1412bb4b7ed41d1e4c5e1b5e40750b0bb6d06c9a3b16e325ca8bbe260397ee130560d0d699ff302f2ef5f8196231fa44e

Download Submit
memory/2588-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/2588-3-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/2588-2-0x0000000005200000-0x00000000057A4000-memory.dmp

Filesize
5.6MB

Download
memory/2588-4-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2588-16-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2588-1-0x00000000002A0000-0x00000000002FE000-memory.dmp

Filesize
376KB

Download
memory/2588-5-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/2588-8-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/2588-6-0x0000000005A10000-0x0000000005A22000-memory.dmp

Filesize
72KB

Download
memory/2588-7-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/5084-25-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/5084-20-0x00000000061E0000-0x00000000061EA000-memory.dmp

Filesize
40KB

Download
memory/5084-18-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/5084-17-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads