quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
297s
max time network
303s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (102) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral21/memory/2116-1-0x0000000000BA0000-0x0000000000C0C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral21/memory/3012-12-0x0000000000960000-0x00000000009CC000-memory.dmp	family_quasar
behavioral21/memory/552-29-0x0000000000CD0000-0x0000000000D3C000-memory.dmp	family_quasar
behavioral21/memory/2272-41-0x0000000000220000-0x000000000028C000-memory.dmp	family_quasar
behavioral21/memory/2836-53-0x0000000000EA0000-0x0000000000F0C000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exe

pid process

3012 Client.exe
552 Client.exe
2272 Client.exe
2836 Client.exe
Loads dropped DLL 4 IoCs

Processes:

Uni - Copy (102) - Copy - Copy - Copy.execmd.execmd.execmd.exe

pid process

2116 Uni - Copy (102) - Copy - Copy - Copy.exe
2064 cmd.exe
944 cmd.exe
2572 cmd.exe
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
21 ip-api.com
29 api.ipify.org
15 ip-api.com
23 api.ipify.org
27 ip-api.com
2 ip-api.com
6 api.ipify.org
8 ip-api.com
11 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exe

pid process

1980 schtasks.exe
2652 schtasks.exe
2392 schtasks.exe
2576 schtasks.exe
344 SCHTASKS.exe
2476 schtasks.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1752 PING.EXE
2228 PING.EXE
1232 PING.EXE
2980 PING.EXE

pid	process
3012	Client.exe
552	Client.exe
2272	Client.exe
2836	Client.exe

pid	process
2116	Uni - Copy (102) - Copy - Copy - Copy.exe
2064	cmd.exe
944	cmd.exe
2572	cmd.exe

flow	ioc
17	api.ipify.org
21	ip-api.com
29	api.ipify.org
15	ip-api.com
23	api.ipify.org
27	ip-api.com
2	ip-api.com
6	api.ipify.org
8	ip-api.com
11	api.ipify.org

pid	process
1980	schtasks.exe
2652	schtasks.exe
2392	schtasks.exe
2576	schtasks.exe
344	SCHTASKS.exe
2476	schtasks.exe

pid	process
1752	PING.EXE
2228	PING.EXE
1232	PING.EXE
2980	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Uni - Copy (102) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2116	Uni - Copy (102) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	3012	Client.exe
Token: SeDebugPrivilege	552	Client.exe
Token: SeDebugPrivilege	2272	Client.exe
Token: SeDebugPrivilege	2836	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (102) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.exe

description	pid	process	target process
PID 2116 wrote to memory of 2576	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	schtasks.exe
PID 2116 wrote to memory of 2576	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	schtasks.exe
PID 2116 wrote to memory of 2576	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	schtasks.exe
PID 2116 wrote to memory of 2576	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	schtasks.exe
PID 2116 wrote to memory of 3012	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 2116 wrote to memory of 3012	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 2116 wrote to memory of 3012	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 2116 wrote to memory of 3012	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 2116 wrote to memory of 3012	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 2116 wrote to memory of 3012	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 2116 wrote to memory of 3012	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 2116 wrote to memory of 344	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2116 wrote to memory of 344	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2116 wrote to memory of 344	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2116 wrote to memory of 344	2116	Uni - Copy (102) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3012 wrote to memory of 2476	3012	Client.exe	schtasks.exe
PID 3012 wrote to memory of 2476	3012	Client.exe	schtasks.exe
PID 3012 wrote to memory of 2476	3012	Client.exe	schtasks.exe
PID 3012 wrote to memory of 2476	3012	Client.exe	schtasks.exe
PID 3012 wrote to memory of 2064	3012	Client.exe	cmd.exe
PID 3012 wrote to memory of 2064	3012	Client.exe	cmd.exe
PID 3012 wrote to memory of 2064	3012	Client.exe	cmd.exe
PID 3012 wrote to memory of 2064	3012	Client.exe	cmd.exe
PID 2064 wrote to memory of 2820	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 2820	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 2820	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 2820	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 2228	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2228	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2228	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2228	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 552	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 552	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 552	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 552	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 552	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 552	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 552	2064	cmd.exe	Client.exe
PID 552 wrote to memory of 1980	552	Client.exe	schtasks.exe
PID 552 wrote to memory of 1980	552	Client.exe	schtasks.exe
PID 552 wrote to memory of 1980	552	Client.exe	schtasks.exe
PID 552 wrote to memory of 1980	552	Client.exe	schtasks.exe
PID 552 wrote to memory of 944	552	Client.exe	cmd.exe
PID 552 wrote to memory of 944	552	Client.exe	cmd.exe
PID 552 wrote to memory of 944	552	Client.exe	cmd.exe
PID 552 wrote to memory of 944	552	Client.exe	cmd.exe
PID 944 wrote to memory of 2220	944	cmd.exe	chcp.com
PID 944 wrote to memory of 2220	944	cmd.exe	chcp.com
PID 944 wrote to memory of 2220	944	cmd.exe	chcp.com
PID 944 wrote to memory of 2220	944	cmd.exe	chcp.com
PID 944 wrote to memory of 1232	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 1232	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 1232	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 1232	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 2272	944	cmd.exe	Client.exe
PID 944 wrote to memory of 2272	944	cmd.exe	Client.exe
PID 944 wrote to memory of 2272	944	cmd.exe	Client.exe
PID 944 wrote to memory of 2272	944	cmd.exe	Client.exe
PID 944 wrote to memory of 2272	944	cmd.exe	Client.exe
PID 944 wrote to memory of 2272	944	cmd.exe	Client.exe
PID 944 wrote to memory of 2272	944	cmd.exe	Client.exe
PID 2272 wrote to memory of 2652	2272	Client.exe	schtasks.exe
PID 2272 wrote to memory of 2652	2272	Client.exe	schtasks.exe
PID 2272 wrote to memory of 2652	2272	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2576

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIVa5Ush6zkI.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2820

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2228

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2s3PeLbeqtxP.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2220

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1232

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vyF8EktpOeyU.bat" "
7⤵
- Loads dropped DLL
PID:2572

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:2332

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XtE097mNBGnu.bat" "
9⤵
PID:1496

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:840

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1752

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2s3PeLbeqtxP.bat
Filesize
207B

MD5
89e401bb419f07b42b78011a30086074

SHA1
6eb25b4a3e5c8903fa3680b5745e3cf9a656e92b

SHA256
e661b30330a24781f79bc907f8def5438906252cce02eb243abe0dc1c5fd0862

SHA512
5d02ed61680dd1d46d0f24a1bf483c797371c6db68f24ab546436ebaeddf3528ab29e9fac20db5c7b949682b2dab27fdf2ac406d190a661a0a021d2b51d90d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIVa5Ush6zkI.bat
Filesize
207B

MD5
109971e0f70db554a32a1784a08a14ac

SHA1
7cafd41fa9e19677fabd0ac25c79852a6ce2b878

SHA256
d3d4457186b96518bd21dcf06dd248c55fc5e8aed6130d298a513d32b8bd2653

SHA512
5fd849cd523efd33a402a8d69641b28506e9f2334ae1bee167c55048d036927c507a617d0c61e40163bb382b300f091475db2ff39e1b4c8b3fefc17840ceff79

Download Submit
C:\Users\Admin\AppData\Local\Temp\XtE097mNBGnu.bat
Filesize
207B

MD5
94a2927ad762ea0667d69150d7ec7639

SHA1
e930d7ec2ba4e6a2b8fbd8a768cb9a17bf457320

SHA256
6047e3a8e887b967b8f564187f168d2a78b4a2c0cac537f778e8427459ca6f9b

SHA512
f5d8f8e879015876f7cab7a3b16d2841a249bbaa240b5b110e8c241d09e91efa0bd03625feba32a0009bfaa4c1600dc5d17453be3eed34082d9aad68b24ef960

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyF8EktpOeyU.bat
Filesize
207B

MD5
e2539ffb3eb4d1813d96035f6d712c13

SHA1
c78f3e5c010722e89c53d53914793ea7db149f43

SHA256
a408e0a6bf46c75d2680cf0d36063b3e4368cdcea9da94ff5fa3f652fe3b375e

SHA512
e82bebdffbbb8227a2bb46bf3b0cd0c33ef057964ec3ff141a7b677a0016f14e8b5eeea1dc13a702a6fd7ba65e2ba7d8c3d58b3270f83794a2344f0b0332924c

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/552-29-0x0000000000CD0000-0x0000000000D3C000-memory.dmp

Filesize
432KB

Download
memory/2116-3-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/2116-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/2116-15-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-4-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-2-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-1-0x0000000000BA0000-0x0000000000C0C000-memory.dmp

Filesize
432KB

Download
memory/2272-41-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2836-53-0x0000000000EA0000-0x0000000000F0C000-memory.dmp

Filesize
432KB

Download
memory/3012-13-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-25-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-16-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-14-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-12-0x0000000000960000-0x00000000009CC000-memory.dmp

Filesize
432KB

Download