quasar | 49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23

General

Target

svchost1.exe
Size

409KB
MD5

b80b8c569a390b124cb7aaae003c8a82
SHA1

c38fc46e835ccbb538f4df122e501d07562553c4
SHA256

49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23
SHA512

75148f5e619eea0b6f44b3e6ecc0d4e6a97775fee2456209d90c002f8baacfa9109b2be90da6afdf0282c7704a9542bb01c6566d383d4a0b587508e4f6fdfb47
SSDEEP

12288:epsD64e1M8c4Q7JkMgtqB+chi4gjEhNjh:6sG4kMfJiqBNfPh

Score

10^/10

quasar seroxen | v3.1.5 |spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

nexosmith1231-54169.portmap.host:4782

Mutex

$Sxr-NbHXQzYHWTCnT97XUN

Attributes

encryption_key
v2wYEk6QCkLkJJ1DyEGm
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2040-1-0x0000000000120000-0x000000000018C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe	family_quasar
behavioral1/memory/3008-11-0x00000000010F0000-0x000000000115C000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

$sxr-powershell.exe

pid process

3008 $sxr-powershell.exe
Loads dropped DLL 1 IoCs

Processes:

svchost1.exe

pid process

2040 svchost1.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeSCHTASKS.exe

pid process

2168 schtasks.exe
2132 schtasks.exe
2392 SCHTASKS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost1.exe$sxr-powershell.exe

description pid process

Token: SeDebugPrivilege 2040 svchost1.exe
Token: SeDebugPrivilege 3008 $sxr-powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

3008 $sxr-powershell.exe

pid	process
3008	$sxr-powershell.exe

pid	process
2040	svchost1.exe

flow	ioc
2	ip-api.com

pid	process
2168	schtasks.exe
2132	schtasks.exe
2392	SCHTASKS.exe

description	pid	process
Token: SeDebugPrivilege	2040	svchost1.exe
Token: SeDebugPrivilege	3008	$sxr-powershell.exe

pid	process
3008	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

svchost1.exe$sxr-powershell.exe

description	pid	process	target process
PID 2040 wrote to memory of 2168	2040	svchost1.exe	schtasks.exe
PID 2040 wrote to memory of 2168	2040	svchost1.exe	schtasks.exe
PID 2040 wrote to memory of 2168	2040	svchost1.exe	schtasks.exe
PID 2040 wrote to memory of 2168	2040	svchost1.exe	schtasks.exe
PID 2040 wrote to memory of 3008	2040	svchost1.exe	$sxr-powershell.exe
PID 2040 wrote to memory of 3008	2040	svchost1.exe	$sxr-powershell.exe
PID 2040 wrote to memory of 3008	2040	svchost1.exe	$sxr-powershell.exe
PID 2040 wrote to memory of 3008	2040	svchost1.exe	$sxr-powershell.exe
PID 3008 wrote to memory of 2132	3008	$sxr-powershell.exe	schtasks.exe
PID 3008 wrote to memory of 2132	3008	$sxr-powershell.exe	schtasks.exe
PID 3008 wrote to memory of 2132	3008	$sxr-powershell.exe	schtasks.exe
PID 3008 wrote to memory of 2132	3008	$sxr-powershell.exe	schtasks.exe
PID 2040 wrote to memory of 2392	2040	svchost1.exe	SCHTASKS.exe
PID 2040 wrote to memory of 2392	2040	svchost1.exe	SCHTASKS.exe
PID 2040 wrote to memory of 2392	2040	svchost1.exe	SCHTASKS.exe
PID 2040 wrote to memory of 2392	2040	svchost1.exe	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\svchost1.exe
"C:\Users\Admin\AppData\Local\Temp\svchost1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost1.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2168

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2132

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77svchost1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost1.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
Filesize
409KB

MD5
b80b8c569a390b124cb7aaae003c8a82

SHA1
c38fc46e835ccbb538f4df122e501d07562553c4

SHA256
49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23

SHA512
75148f5e619eea0b6f44b3e6ecc0d4e6a97775fee2456209d90c002f8baacfa9109b2be90da6afdf0282c7704a9542bb01c6566d383d4a0b587508e4f6fdfb47

Download Submit
memory/2040-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000000120000-0x000000000018C000-memory.dmp

Filesize
432KB

Download
memory/2040-2-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-14-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-10-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-11-0x00000000010F0000-0x000000000115C000-memory.dmp

Filesize
432KB

Download
memory/3008-12-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-15-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads