quasar | f2a22a1b44253073cda975e57ee937304a434538f4df0942a65b25889f0fa24b

General

Target

SeroXen.zip
Size

50.0MB
MD5

02153febfdb4c44d05aa380c7d321dde
SHA1

04c2d0a3a9055e332684344e6a0f8f8aae6a4d0d
SHA256

f2a22a1b44253073cda975e57ee937304a434538f4df0942a65b25889f0fa24b
SHA512

f67bbea2de074ae644413ac44b2ce9f9906dfad807333972932b28b6787487cd6dcf96d6d9f562dbd6aca0121023531713383ccc599f15fca763eee334e44914
SSDEEP

1572864:Lnc3ZAr4LYmozPeXrEvg0ePqwMS7YHSzzb+58sVU:Lc3ZAr4lwWwVQMS7YHSzzb+OsVU

Score

10^/10

quasar evasion spyware themida trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\New folder\SeroXen.exe	family_quasar
behavioral1/memory/5096-76-0x000001D32CBD0000-0x000001D32F264000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SeroXen.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SeroXen.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SeroXen.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SeroXen.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SeroXen.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SeroXen.exe

Executes dropped EXE 1 IoCs

Processes:

SeroXen.exe

pid process

5096 SeroXen.exe
Loads dropped DLL 4 IoCs

Processes:

SeroXen.exe

pid process

5096 SeroXen.exe
5096 SeroXen.exe
5096 SeroXen.exe
5096 SeroXen.exe

pid	process
5096	SeroXen.exe

pid	process
5096	SeroXen.exe
5096	SeroXen.exe
5096	SeroXen.exe
5096	SeroXen.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\e598627d-8851-4529-8c98-58e978071e98\C5VM64.dll	themida
behavioral1/memory/5096-85-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp	themida
behavioral1/memory/5096-86-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp	themida
behavioral1/memory/5096-102-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp	themida
behavioral1/memory/5096-114-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp	themida
behavioral1/memory/5096-121-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp	themida
behavioral1/memory/5096-125-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SeroXen.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SeroXen.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

SeroXen.exe

pid process

5096 SeroXen.exe
Drops file in Windows directory 1 IoCs

Processes:

SeroXen.exe

description ioc process

File created C:\Windows\rescache\_merged\1847152663\4105898438.pri SeroXen.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SeroXen.exe

pid	process
5096	SeroXen.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1847152663\4105898438.pri	SeroXen.exe

Modifies registry class 2 IoCs

Processes:

7zFM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4312 7zFM.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 4312 7zFM.exe
Token: 35 4312 7zFM.exe
Token: SeSecurityPrivilege 4312 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

4312 7zFM.exe
4312 7zFM.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SeroXen.exe

pid process

5096 SeroXen.exe
5096 SeroXen.exe

pid	process
4312	7zFM.exe

description	pid	process
Token: SeRestorePrivilege	4312	7zFM.exe
Token: 35	4312	7zFM.exe
Token: SeSecurityPrivilege	4312	7zFM.exe

pid	process
4312	7zFM.exe
4312	7zFM.exe

pid	process
5096	SeroXen.exe
5096	SeroXen.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SeroXen.zip
1⤵
PID:2372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3648

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SeroXen.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4312

C:\Users\Admin\Desktop\New folder\SeroXen.exe
"C:\Users\Admin\Desktop\New folder\SeroXen.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
ac4b20a781fe9996d0e4d62043f8c63b

SHA1
844a5b02f46fc207c6e35e9724ed5b24470b029a

SHA256
e88b5a6405f9b5abfb83f5bb2538ec4146b345c46a0f119490fcb6267dc3f14d

SHA512
d85efb126ae2d1498e6812b09bcbd79cb168292930c95f023f3f05a3347325e81d567e3b00f0c01e2a91b0a0a5adbf5d340d049324c5bc764d2542d65943f0b2

Download Submit
C:\Users\Admin\Desktop\New folder\C5VM.dll
Filesize
1.1MB

MD5
37691c7533a9327f520ebe21faa72191

SHA1
328ba7fe8627883bc3e31b7bf1cd317b442a4c08

SHA256
de6f08708b8bc6562828c7787769d14752b2c1ab0b0e9b34b1ed44987bd2f842

SHA512
b6334eba7103a986d4e2c12b38f34d084ce8d6b986ccb9775ec5d623b988546ce97308ddeb0239a5ec25e9d5782a27c777af7f89e757fdd35047723c4a0afdb4

Download Submit
C:\Users\Admin\Desktop\New folder\Renci.SshNet.dll
Filesize
786KB

MD5
38cd4058d861c08800a2a52ab41f929d

SHA1
9f5f747f2bd6bcb75ff2935833c617718fbe39cb

SHA256
57e8f49f8347c5e9444c138846a85868c52829b8ee99f0bde905e4fb3127339f

SHA512
3e0761550179952e60263ecbe803f0fd3ed32c03712e36e4f6cde53d1a039869bb210d04c1c1bda235226d362dc93d290e7f42291822b5daea4247070a891435

Download Submit
C:\Users\Admin\Desktop\New folder\SeroXen.exe
Filesize
38.6MB

MD5
89a7d73bad622bbd0b9dfb8e80f8c42e

SHA1
f1ac96f1d956254c6b2209f457355da89c987d8f

SHA256
7cb37cd110a388998ce95819da915446331f614a5da8d5cfeed953812ada23f1

SHA512
760e8e7087ac107ec9e12caaa26968142ddd62ddd82d0e6abfcaa35de8f03917323e97147e72b63fb3dca27756726f4f8fa68f89f9e5acc70898c4c4b0a7bdd0

Download Submit
\Users\Admin\AppData\Local\Temp\e598627d-8851-4529-8c98-58e978071e98\C5VM64.dll
Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
\Users\Admin\Desktop\New folder\PTOAuth.dll
Filesize
2.3MB

MD5
ced7e9cdea3c1dceedab64214c6dcb83

SHA1
73da7147478f83db810de4680e1e4fad13281a93

SHA256
4287556856619243ab4546046cea447e2481b2e7a1e7a26855f28d49918bfd87

SHA512
dee3a60236f044b7bee7baa384db5b9ecaa291d83583fa40cbac561e1419a481901a728d632653c150d5588ed29336fd64473e5ec5dbf11e7ca294c8dd278faf

Download Submit
\Users\Admin\Desktop\New folder\SeroXenPTO.bin
Filesize
161KB

MD5
839acc7894ecd3b706277a7c754d1ab3

SHA1
03ceb5f2f82b4e2f6a1b41da9300564d78e0b13d

SHA256
a601e5352480503c69e2baa53c589a40881051965b4220bed1c17a5b36735b35

SHA512
46a713c005b2acc8db03023c63073603fc4a10e578429fe3783279e739b57942892ef5332e8ecf72e7157c50ee02ab1f10a3e681399e72b83714730f945314fd

Download Submit
memory/5096-94-0x000001D330FB0000-0x000001D330FD2000-memory.dmp

Filesize
136KB

Download
memory/5096-103-0x000001D34B880000-0x000001D34B921000-memory.dmp

Filesize
644KB

Download
memory/5096-86-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

Filesize
8.4MB

Download
memory/5096-93-0x000001D330F80000-0x000001D330FAC000-memory.dmp

Filesize
176KB

Download
memory/5096-85-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

Filesize
8.4MB

Download
memory/5096-78-0x000001D349960000-0x000001D349A2A000-memory.dmp

Filesize
808KB

Download
memory/5096-89-0x000001D349ED0000-0x000001D349FE4000-memory.dmp

Filesize
1.1MB

Download
memory/5096-76-0x000001D32CBD0000-0x000001D32F264000-memory.dmp

Filesize
38.6MB

Download
memory/5096-97-0x00007FF85B430000-0x00007FF85B922000-memory.dmp

Filesize
4.9MB

Download
memory/5096-87-0x00007FF861470000-0x00007FF86159C000-memory.dmp

Filesize
1.2MB

Download
memory/5096-104-0x000001D34B930000-0x000001D34B9A1000-memory.dmp

Filesize
452KB

Download
memory/5096-102-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

Filesize
8.4MB

Download
memory/5096-114-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

Filesize
8.4MB

Download
memory/5096-123-0x000001D34BDF0000-0x000001D34BE61000-memory.dmp

Filesize
452KB

Download
memory/5096-122-0x000001D34B900000-0x000001D34B9A1000-memory.dmp

Filesize
644KB

Download
memory/5096-121-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

Filesize
8.4MB

Download
memory/5096-125-0x00007FF85B930000-0x00007FF85C18F000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads