quasar | 7915d96fd92766003b73b58c3e9b375487479b9b582ed3be8a88bf5fed8a8208

General

Target

LyphaBuilder.exe
Size

1.3MB
MD5

51bacfc2db65bb01e860893dd01c57bc
SHA1

1499f3ba3f3cbdc3e4db3aff5d15cb38c5cfebd5
SHA256

7915d96fd92766003b73b58c3e9b375487479b9b582ed3be8a88bf5fed8a8208
SHA512

9e93171d3118f192f60e5b52fea67a66a3eca1ab23230da44c1a1ce80119c642ba65f61eee32afe6cec8fbe0a7fd5176cea9fdff9e3917a26114a3d11d33cb66
SSDEEP

24576:OeZa7DEThQ6Cyn2OV7s+y1SXHNC0ssga+R6bcj+RZuQHWi3F//vxy6omL2:d8ETq6CyVA+y1I40ROIbNB2YFpPomL

Score

10^/10

quasar remcos spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Remcos

C2

team-circles.gl.at.ply.gg:25349

Mutex

109bae44-c7e4-46f2-82cd-2c3efb4dc47e

Attributes

encryption_key
78AF43F549EE55D0FC30D38EC96EAA6F3A3F5CDF
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
WD Defender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe	family_quasar
behavioral1/memory/2872-15-0x00000000008A0000-0x0000000000BC4000-memory.dmp	family_quasar
behavioral1/memory/1700-22-0x0000000000EA0000-0x00000000011C4000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

Processes:

Lypha-Builder.exeRuntime Broker.exeRuntime Broker.exe

pid process

3060 Lypha-Builder.exe
2872 Runtime Broker.exe
1700 Runtime Broker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2644 schtasks.exe
2700 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Runtime Broker.exeRuntime Broker.exe

description pid process

Token: SeDebugPrivilege 2872 Runtime Broker.exe
Token: SeDebugPrivilege 1700 Runtime Broker.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Runtime Broker.exe

pid process

1700 Runtime Broker.exe

pid	process
3060	Lypha-Builder.exe
2872	Runtime Broker.exe
1700	Runtime Broker.exe

pid	process
2644	schtasks.exe
2700	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2872	Runtime Broker.exe
Token: SeDebugPrivilege	1700	Runtime Broker.exe

pid	process
1700	Runtime Broker.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

LyphaBuilder.exeRuntime Broker.exeRuntime Broker.exe

description	pid	process	target process
PID 2880 wrote to memory of 3060	2880	LyphaBuilder.exe	Lypha-Builder.exe
PID 2880 wrote to memory of 3060	2880	LyphaBuilder.exe	Lypha-Builder.exe
PID 2880 wrote to memory of 3060	2880	LyphaBuilder.exe	Lypha-Builder.exe
PID 2880 wrote to memory of 2872	2880	LyphaBuilder.exe	Runtime Broker.exe
PID 2880 wrote to memory of 2872	2880	LyphaBuilder.exe	Runtime Broker.exe
PID 2880 wrote to memory of 2872	2880	LyphaBuilder.exe	Runtime Broker.exe
PID 2872 wrote to memory of 2644	2872	Runtime Broker.exe	schtasks.exe
PID 2872 wrote to memory of 2644	2872	Runtime Broker.exe	schtasks.exe
PID 2872 wrote to memory of 2644	2872	Runtime Broker.exe	schtasks.exe
PID 2872 wrote to memory of 1700	2872	Runtime Broker.exe	Runtime Broker.exe
PID 2872 wrote to memory of 1700	2872	Runtime Broker.exe	Runtime Broker.exe
PID 2872 wrote to memory of 1700	2872	Runtime Broker.exe	Runtime Broker.exe
PID 1700 wrote to memory of 2700	1700	Runtime Broker.exe	schtasks.exe
PID 1700 wrote to memory of 2700	1700	Runtime Broker.exe	schtasks.exe
PID 1700 wrote to memory of 2700	1700	Runtime Broker.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LyphaBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\LyphaBuilder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
2⤵
- Executes dropped EXE
PID:3060

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2644

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
Filesize
439KB

MD5
4aa8dcada269e610add8a77aa7652039

SHA1
e3b1bfbbf88e5fd3dcfd2999469e8d861d1c7667

SHA256
e32e182cbca18e6608ad4c1d4837f53c7a24e02ade6c69dc2cff3b16dc383a21

SHA512
e859bff8beb5fc1508b4b5bd60fbf8372eb601882b2d1de5b06eeaa89219d2a517297b5de4f743ed79b94a9076805585f37637be833dfc5c4a1cc0349a7bc4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
Filesize
3.1MB

MD5
0296021acfb4f37e63df4de7461ebfd9

SHA1
14117dba6ce87cbb6561ebdfffec60cb21860800

SHA256
4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a

SHA512
ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee

Download Submit
memory/1700-22-0x0000000000EA0000-0x00000000011C4000-memory.dmp

Filesize
3.1MB

Download
memory/2872-15-0x00000000008A0000-0x0000000000BC4000-memory.dmp

Filesize
3.1MB

Download
memory/2880-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000000FD0000-0x000000000112E000-memory.dmp

Filesize
1.4MB

Download
memory/2880-6-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-14-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-13-0x00000000013B0000-0x0000000001424000-memory.dmp

Filesize
464KB

Download
memory/3060-16-0x0000000000520000-0x0000000000546000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads