quasar | 4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a

General

Target

Remcosv4.9.3LightMOD.exe
Size

40.3MB
MD5

d3de21913cdebc1c84d668de22831d85
SHA1

2619ebb87016473c06ed820a8d26120b704b8023
SHA256

4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a
SHA512

bccee54ff31b9321020276c311f609951c47dac790ddfc47bcca0d19052fcd5d27340cb99d87f4c762e11c99f39a2b7cbe379d2fabdc8da91c637adccd8339cf
SSDEEP

786432:MukwgGc0LdSPyiMJj2uK0P7ts6CcEwVOgjxBdgoz8pF4zqIdvXO/:Xc0QaiYj2AP7y62wV5jxBXVPG

Score

10^/10

quasar remcos spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Remcos

C2

team-circles.gl.at.ply.gg:25349

Mutex

109bae44-c7e4-46f2-82cd-2c3efb4dc47e

Attributes

encryption_key
78AF43F549EE55D0FC30D38EC96EAA6F3A3F5CDF
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
WD Defender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe	family_quasar
behavioral1/memory/820-14-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar
behavioral1/memory/2612-21-0x0000000000DE0000-0x0000000001104000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

Processes:

Remcos v4.9.3 Light MOD.exeRuntime Broker.exeRuntime Broker.exe

pid process

3048 Remcos v4.9.3 Light MOD.exe
820 Runtime Broker.exe
2612 Runtime Broker.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Remcos v4.9.3 Light MOD.exe

pid process

3048 Remcos v4.9.3 Light MOD.exe
3048 Remcos v4.9.3 Light MOD.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2676 schtasks.exe
1436 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Remcos v4.9.3 Light MOD.exe

pid process

3048 Remcos v4.9.3 Light MOD.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Runtime Broker.exeRuntime Broker.exe

description pid process

Token: SeDebugPrivilege 820 Runtime Broker.exe
Token: SeDebugPrivilege 2612 Runtime Broker.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Runtime Broker.exeRemcos v4.9.3 Light MOD.exe

pid process

2612 Runtime Broker.exe
3048 Remcos v4.9.3 Light MOD.exe

pid	process
3048	Remcos v4.9.3 Light MOD.exe
820	Runtime Broker.exe
2612	Runtime Broker.exe

pid	process
3048	Remcos v4.9.3 Light MOD.exe
3048	Remcos v4.9.3 Light MOD.exe

pid	process
2676	schtasks.exe
1436	schtasks.exe

pid	process
3048	Remcos v4.9.3 Light MOD.exe

description	pid	process
Token: SeDebugPrivilege	820	Runtime Broker.exe
Token: SeDebugPrivilege	2612	Runtime Broker.exe

pid	process
2612	Runtime Broker.exe
3048	Remcos v4.9.3 Light MOD.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Remcosv4.9.3LightMOD.exeRuntime Broker.exeRuntime Broker.exe

description	pid	process	target process
PID 2392 wrote to memory of 3048	2392	Remcosv4.9.3LightMOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 3048	2392	Remcosv4.9.3LightMOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 3048	2392	Remcosv4.9.3LightMOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 3048	2392	Remcosv4.9.3LightMOD.exe	Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 820	2392	Remcosv4.9.3LightMOD.exe	Runtime Broker.exe
PID 2392 wrote to memory of 820	2392	Remcosv4.9.3LightMOD.exe	Runtime Broker.exe
PID 2392 wrote to memory of 820	2392	Remcosv4.9.3LightMOD.exe	Runtime Broker.exe
PID 820 wrote to memory of 2676	820	Runtime Broker.exe	schtasks.exe
PID 820 wrote to memory of 2676	820	Runtime Broker.exe	schtasks.exe
PID 820 wrote to memory of 2676	820	Runtime Broker.exe	schtasks.exe
PID 820 wrote to memory of 2612	820	Runtime Broker.exe	Runtime Broker.exe
PID 820 wrote to memory of 2612	820	Runtime Broker.exe	Runtime Broker.exe
PID 820 wrote to memory of 2612	820	Runtime Broker.exe	Runtime Broker.exe
PID 2612 wrote to memory of 1436	2612	Runtime Broker.exe	schtasks.exe
PID 2612 wrote to memory of 1436	2612	Runtime Broker.exe	schtasks.exe
PID 2612 wrote to memory of 1436	2612	Runtime Broker.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2676

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
Filesize
39.2MB

MD5
6eacce4a82cf898472ad2aa8b0267cca

SHA1
954def54ec22b1ade594e7f501384fe19d2bbfef

SHA256
522a915d9a78b68fee628014e4559e82bcbf137d9abc521e57b6e7aca695cec7

SHA512
3004e9f64ba6258b3780d534bd59b3c8ae611e29d846e0aaa197af892f56708379b4996295de5c777ef845a031c44915bf3faa17b137f892a81373423bd47ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
Filesize
3.1MB

MD5
0296021acfb4f37e63df4de7461ebfd9

SHA1
14117dba6ce87cbb6561ebdfffec60cb21860800

SHA256
4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a

SHA512
ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee

Download Submit
memory/820-14-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download
memory/2392-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

Filesize
4KB

Download
memory/2392-1-0x0000000000940000-0x0000000003194000-memory.dmp

Filesize
40.3MB

Download
memory/2392-2-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-15-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-21-0x0000000000DE0000-0x0000000001104000-memory.dmp

Filesize
3.1MB

Download
memory/3048-49-0x00000000066A0000-0x00000000066A1000-memory.dmp

Filesize
4KB

Download
memory/3048-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3048-56-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/3048-63-0x0000000000400000-0x000000000668E000-memory.dmp

Filesize
98.6MB

Download
memory/3048-54-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/3048-51-0x00000000066A0000-0x00000000066A1000-memory.dmp

Filesize
4KB

Download
memory/3048-61-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/3048-46-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/3048-44-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/3048-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3048-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3048-59-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/3048-36-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3048-34-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3048-32-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3048-31-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3048-29-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3048-27-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3048-26-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3048-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3048-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads