quasar | 5800caf82a36637733bfcbf94ff7d84a94b9aed9219e379f8a7fd0fdb9ba2f65

General

Target

server.exe
Size

3.1MB
MD5

07dccd8779b74ad4a54626bcd2cb3bef
SHA1

f433850738d4a26367da7596b73003200053362c
SHA256

5800caf82a36637733bfcbf94ff7d84a94b9aed9219e379f8a7fd0fdb9ba2f65
SHA512

4c9c9c9801f62fc8ad811e0e0f46eed808fb2085470f6ba82e1d8319f27459731ef8a77db8cc4be389c452816156bcdcf1a0e0e709b5559b0a072601e9f65cbc
SSDEEP

49152:3vGlL26AaNeWgPhlmVqvMQ7XSKZoRJ64bR3LoGdZtTHHB72eh2NT:3vGL26AaNeWgPhlmVqkQ7XSKZoRJ6SJ

Score

10^/10

quasar @123 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

@123

C2

mother-amanda.gl.at.ply.gg:21734

Mutex

9e934c1b-08a6-4685-bb6a-de27a875f421

Attributes

encryption_key
8E8D64935A72F87FC7C5AD95C61A6C59BC55CDA1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4288-1-0x00000000009D0000-0x0000000000CF4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2608 PING.EXE
852 PING.EXE
224 PING.EXE
3592 PING.EXE
1136 PING.EXE
2228 PING.EXE
3652 PING.EXE

pid	process
2608	PING.EXE
852	PING.EXE
224	PING.EXE
3592	PING.EXE
1136	PING.EXE
2228	PING.EXE
3652	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	4288	server.exe
Token: SeDebugPrivilege	3492	server.exe
Token: SeDebugPrivilege	1620	server.exe
Token: SeDebugPrivilege	4236	server.exe
Token: SeDebugPrivilege	4656	server.exe
Token: SeDebugPrivilege	1944	server.exe
Token: SeDebugPrivilege	3180	server.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

pid process

4288 server.exe
3492 server.exe
1620 server.exe
4236 server.exe
4656 server.exe
1944 server.exe
3180 server.exe

pid	process
4288	server.exe
3492	server.exe
1620	server.exe
4236	server.exe
4656	server.exe
1944	server.exe
3180	server.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

server.execmd.exeserver.execmd.exeserver.execmd.exeserver.execmd.exeserver.execmd.exeserver.execmd.exeserver.execmd.exe

description	pid	process	target process
PID 4288 wrote to memory of 1196	4288	server.exe	cmd.exe
PID 4288 wrote to memory of 1196	4288	server.exe	cmd.exe
PID 1196 wrote to memory of 1528	1196	cmd.exe	chcp.com
PID 1196 wrote to memory of 1528	1196	cmd.exe	chcp.com
PID 1196 wrote to memory of 224	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 224	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 3492	1196	cmd.exe	server.exe
PID 1196 wrote to memory of 3492	1196	cmd.exe	server.exe
PID 3492 wrote to memory of 2904	3492	server.exe	cmd.exe
PID 3492 wrote to memory of 2904	3492	server.exe	cmd.exe
PID 2904 wrote to memory of 2356	2904	cmd.exe	chcp.com
PID 2904 wrote to memory of 2356	2904	cmd.exe	chcp.com
PID 2904 wrote to memory of 3592	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 3592	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 1620	2904	cmd.exe	server.exe
PID 2904 wrote to memory of 1620	2904	cmd.exe	server.exe
PID 1620 wrote to memory of 2784	1620	server.exe	cmd.exe
PID 1620 wrote to memory of 2784	1620	server.exe	cmd.exe
PID 2784 wrote to memory of 2640	2784	cmd.exe	chcp.com
PID 2784 wrote to memory of 2640	2784	cmd.exe	chcp.com
PID 2784 wrote to memory of 1136	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 1136	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 4236	2784	cmd.exe	server.exe
PID 2784 wrote to memory of 4236	2784	cmd.exe	server.exe
PID 4236 wrote to memory of 1092	4236	server.exe	cmd.exe
PID 4236 wrote to memory of 1092	4236	server.exe	cmd.exe
PID 1092 wrote to memory of 4896	1092	cmd.exe	chcp.com
PID 1092 wrote to memory of 4896	1092	cmd.exe	chcp.com
PID 1092 wrote to memory of 2228	1092	cmd.exe	PING.EXE
PID 1092 wrote to memory of 2228	1092	cmd.exe	PING.EXE
PID 1092 wrote to memory of 4656	1092	cmd.exe	server.exe
PID 1092 wrote to memory of 4656	1092	cmd.exe	server.exe
PID 4656 wrote to memory of 2180	4656	server.exe	cmd.exe
PID 4656 wrote to memory of 2180	4656	server.exe	cmd.exe
PID 2180 wrote to memory of 3176	2180	cmd.exe	chcp.com
PID 2180 wrote to memory of 3176	2180	cmd.exe	chcp.com
PID 2180 wrote to memory of 3652	2180	cmd.exe	PING.EXE
PID 2180 wrote to memory of 3652	2180	cmd.exe	PING.EXE
PID 2180 wrote to memory of 1944	2180	cmd.exe	server.exe
PID 2180 wrote to memory of 1944	2180	cmd.exe	server.exe
PID 1944 wrote to memory of 1824	1944	server.exe	cmd.exe
PID 1944 wrote to memory of 1824	1944	server.exe	cmd.exe
PID 1824 wrote to memory of 1444	1824	cmd.exe	chcp.com
PID 1824 wrote to memory of 1444	1824	cmd.exe	chcp.com
PID 1824 wrote to memory of 2608	1824	cmd.exe	PING.EXE
PID 1824 wrote to memory of 2608	1824	cmd.exe	PING.EXE
PID 1824 wrote to memory of 3180	1824	cmd.exe	server.exe
PID 1824 wrote to memory of 3180	1824	cmd.exe	server.exe
PID 3180 wrote to memory of 720	3180	server.exe	cmd.exe
PID 3180 wrote to memory of 720	3180	server.exe	cmd.exe
PID 720 wrote to memory of 4072	720	cmd.exe	chcp.com
PID 720 wrote to memory of 4072	720	cmd.exe	chcp.com
PID 720 wrote to memory of 852	720	cmd.exe	PING.EXE
PID 720 wrote to memory of 852	720	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wrr28RXegIfd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1528

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:224

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIGLmipQcGa1.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2356

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:3592

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sB94YRkaCAzb.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:2640

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:1136

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JjitCF1wQiDF.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:4896

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:2228

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cwhqui4oFn7x.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:3176

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:3652

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FnDPfQMKWaF.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:1444

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:2608

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iK8BlHZM1Xcf.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:4072

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\server.exe.log
Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FnDPfQMKWaF.bat
Filesize
203B

MD5
8ffe60ca6e140394cb71a44b54253fd2

SHA1
3a80e45ac587c3cf5ffd74cd054269efb28e5d19

SHA256
45ad178eaaf2559ba936569af4b7ba94e1958f925cb4ee5ae2a733aad06762f3

SHA512
e399af016aaa63a85cedd2e1391abb95365f76dd03f745f2222178d6e36e3c56d3766698ba5db663d9420e05da8d03fb405613942cfdd9a3e608119320f1390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIGLmipQcGa1.bat
Filesize
203B

MD5
68709e6889e362ff7b6ff5bf13f8546f

SHA1
9b1ef1b8203a46fcac2fcf94110d6fe2535dd9bf

SHA256
417f0f640ad1a7056ad76cee43bb4ef4a4dc845d1d12d6493a7da48d4534411d

SHA512
7e21d5acd4ab43d14c15c4c590398c7b278fd6c4008671cc862083f107199a494f9b3b09e83e722c3c55ea9c354ed13869dcd7d31f8c17d589e7c4adc57f1911

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwhqui4oFn7x.bat
Filesize
203B

MD5
c79dcce7481e05aa16cbb68c290a746c

SHA1
e287648be036630f7de8a81af56b5a128a21767e

SHA256
ebd87722da3dceb5f4bf36fd175517ddb86dcb40e06deb1dfd7256049f36efe3

SHA512
26668ad055cac1a5ff889fb3c226395dedcc084abfffe6c375d892ef25a3505904a54f3a45087e5ac7e941d4d86ffc19f9938d5911a7cbe99283ddb294870475

Download Submit
C:\Users\Admin\AppData\Local\Temp\JjitCF1wQiDF.bat
Filesize
203B

MD5
065ab646749059e3f55d0fc28cf35eba

SHA1
a5e9db99cf1a1ef0e0fbff348e8cd000fe6c91c0

SHA256
bd0f0fac8f51da26dcf2fb923945099927fe88580bf43445bffeb335ca6f678f

SHA512
24408fa648a523f2cebbb14615653e93482697f1c5dda1b8b351e7dbca7b658a27417080c483a0866541818c9c11396ede7e96362de53941332e14eeda5d362a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrr28RXegIfd.bat
Filesize
203B

MD5
aae5f3e695612b5d2515194682550ed4

SHA1
2206ed2000b634463905ef7f7c09f137b0e9f229

SHA256
921f045f29434210baa178b8a24944a5c13e4a3b097f35974f8ef439aa82cf99

SHA512
941bb03f7afb735d653ef014ef1e8c433ca211c6979c64b6056a6c0b0a4d4c66f45e945d65cfcc4f89497bdeb5027f67914e06506460dd0883224943afe5fbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\iK8BlHZM1Xcf.bat
Filesize
203B

MD5
210c528b63b93b706d2d94d75cbfea3c

SHA1
7076bf0a835034c5fc744956d6ff1e06e1d6e033

SHA256
0f6ea0caf7e8bf15cf049dec4163b8785b20b061c6e2f67b03e6b38eb63dfdbb

SHA512
2142ed898083cec410bf673506c5d85018eb657b91a47b94b0cf3f8699f9b321958189e302b369804fa2b46a2d8a151b7f6c592cffdb5dc380d305f46505364c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sB94YRkaCAzb.bat
Filesize
203B

MD5
f7c8974ce1b8e7e0097a74e08c134b0e

SHA1
be678ab8a05cc65fea14a6e8dc60d62737cdc78d

SHA256
8db1ceb78c30cb6301a14405e37480cfde364aeb59555fa878930b1e8d66a359

SHA512
a220f0807610e6734af2dc5ab1df183d0d70a088bb4d6c246d5af2020e60c8c161f20c412ed69c0fdd77473db76d5227e2286846923a147d52b060cc6cc7d4a5

Download Submit
memory/3492-12-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

Filesize
10.8MB

Download
memory/3492-16-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

Filesize
10.8MB

Download
memory/4288-0-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

Filesize
8KB

Download
memory/4288-9-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

Filesize
10.8MB

Download
memory/4288-4-0x000000001BF20000-0x000000001BFD2000-memory.dmp

Filesize
712KB

Download
memory/4288-3-0x000000001BE10000-0x000000001BE60000-memory.dmp

Filesize
320KB

Download
memory/4288-2-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

Filesize
10.8MB

Download
memory/4288-1-0x00000000009D0000-0x0000000000CF4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads