quasar | 6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b

General

Target

6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe
Size

3.2MB
MD5

dbdfb779556b39424d70176ff2bc5c76
SHA1

ea818c26ffcc9cd2cc1524573b1aadeea9f22edd
SHA256

6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b
SHA512

6064b0566f97d07974d660ebe1b7f6601581882ff73326ee15591c5ae0e0010c8ad7cf897af8945a3889d02148f0b4d4ba02daea2c6322d1b261db93f0370fe4
SSDEEP

49152:ZvnI22SsaNYfdPBldt698dBcjHfxcEf8gk/Ja5oGd8KTHHB72eh2NT:ZvI22SsaNYfdPBldt6+dBcjHfxkY

Score

10^/10

quasar owenn persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Owenn

C2

192.168.0.15:4782

Mutex

2ce88ce3-f2ee-4e1c-b4b7-66f22a22f4e7

Attributes

encryption_key
57E7FE37FD841837FD1B11121840380ED1D1BCFA
install_name
Fortnite.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Service Host: Engine
subdirectory
GameFile

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-1-0x0000000000CB0000-0x0000000000FE4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe	family_quasar

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-1-0x0000000000CB0000-0x0000000000FE4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-1-0x0000000000CB0000-0x0000000000FE4000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-1-0x0000000000CB0000-0x0000000000FE4000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe	INDICATOR_SUSPICIOUS_GENInfoStealer

Executes dropped EXE 1 IoCs

Processes:

Fortnite.exe

pid process

2384 Fortnite.exe

pid	process
2384	Fortnite.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exeFortnite.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host: Engine = "\"C:\\Users\\Admin\\AppData\\Roaming\\GameFile\\Fortnite.exe\""	6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host: Engine = "\"C:\\Users\\Admin\\AppData\\Roaming\\GameFile\\Fortnite.exe\""	Fortnite.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4448 schtasks.exe
2160 schtasks.exe

pid	process
4448	schtasks.exe
2160	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exeFortnite.exe

description	pid	process
Token: SeDebugPrivilege	4752	6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe
Token: SeDebugPrivilege	2384	Fortnite.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Fortnite.exe

pid process

2384 Fortnite.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Fortnite.exe

pid process

2384 Fortnite.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Fortnite.exe

pid process

2384 Fortnite.exe

pid	process
2384	Fortnite.exe

pid	process
2384	Fortnite.exe

pid	process
2384	Fortnite.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exeFortnite.exe

description	pid	process	target process
PID 4752 wrote to memory of 4448	4752	6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe	schtasks.exe
PID 4752 wrote to memory of 4448	4752	6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe	schtasks.exe
PID 4752 wrote to memory of 2384	4752	6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe	Fortnite.exe
PID 4752 wrote to memory of 2384	4752	6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe	Fortnite.exe
PID 2384 wrote to memory of 2160	2384	Fortnite.exe	schtasks.exe
PID 2384 wrote to memory of 2160	2384	Fortnite.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe
"C:\Users\Admin\AppData\Local\Temp\6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Service Host: Engine" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4448

C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe
"C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Service Host: Engine" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GameFile\Fortnite.exe
Filesize
3.2MB

MD5
dbdfb779556b39424d70176ff2bc5c76

SHA1
ea818c26ffcc9cd2cc1524573b1aadeea9f22edd

SHA256
6e2a82833646e95bd6d98557c8f9746a8b8ae6a1c7cb1f713b475ee36d6c146b

SHA512
6064b0566f97d07974d660ebe1b7f6601581882ff73326ee15591c5ae0e0010c8ad7cf897af8945a3889d02148f0b4d4ba02daea2c6322d1b261db93f0370fe4

Download Submit
memory/2384-9-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/2384-11-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/2384-12-0x0000000003070000-0x00000000030C0000-memory.dmp

Filesize
320KB

Download
memory/2384-13-0x000000001C2E0000-0x000000001C392000-memory.dmp

Filesize
712KB

Download
memory/2384-14-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/2384-15-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4752-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

Filesize
8KB

Download
memory/4752-1-0x0000000000CB0000-0x0000000000FE4000-memory.dmp

Filesize
3.2MB

Download
memory/4752-2-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4752-10-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads