quasar | 5b584418db5a9302834272560b076a26ae5c882e253dd23d9c603bcdf4e235e7

General

Target

Uni.exe
Size

409KB
MD5

28a90307277122011920de004e149e2c
SHA1

0c3bc0d9338ce9129833d7bb8b3b6ebf41ef4a39
SHA256

5b584418db5a9302834272560b076a26ae5c882e253dd23d9c603bcdf4e235e7
SHA512

6c24cb5886c67a2c58219bfccb0816c136ba2d4d44792c40ca8482499974e2a9abd285af63a08d983aaaef2f7ab988a150a17bbecc903a109a8effee21092276
SSDEEP

6144:jMvlpdRJjGq/ld9zivfK2p7/PvmfD8MbLw5C7NP4TP6ENT/4e:MpbJjGuL9zivThPvm82wwyPhNTge

Score

10^/10

quasar loader client spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Loader Client

C2

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
yeO4jNnQKA8amVjOSkeX
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1952-1-0x0000000000360000-0x00000000003CC000-memory.dmp	family_quasar
behavioral1/files/0x003800000001566b-5.dat	family_quasar
behavioral1/memory/2660-11-0x00000000011F0000-0x000000000125C000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2660	Client.exe

Loads dropped DLL 1 IoCs

pid	Process
1952	Uni.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2480	SCHTASKS.exe
2672	schtasks.exe
2488	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	Uni.exe
Token: SeDebugPrivilege	2660	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	Client.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2672	1952	Uni.exe	29
PID 1952 wrote to memory of 2672	1952	Uni.exe	29
PID 1952 wrote to memory of 2672	1952	Uni.exe	29
PID 1952 wrote to memory of 2672	1952	Uni.exe	29
PID 1952 wrote to memory of 2660	1952	Uni.exe	31
PID 1952 wrote to memory of 2660	1952	Uni.exe	31
PID 1952 wrote to memory of 2660	1952	Uni.exe	31
PID 1952 wrote to memory of 2660	1952	Uni.exe	31
PID 1952 wrote to memory of 2660	1952	Uni.exe	31
PID 1952 wrote to memory of 2660	1952	Uni.exe	31
PID 1952 wrote to memory of 2660	1952	Uni.exe	31
PID 2660 wrote to memory of 2488	2660	Client.exe	32
PID 2660 wrote to memory of 2488	2660	Client.exe	32
PID 2660 wrote to memory of 2488	2660	Client.exe	32
PID 2660 wrote to memory of 2488	2660	Client.exe	32
PID 1952 wrote to memory of 2480	1952	Uni.exe	34
PID 1952 wrote to memory of 2480	1952	Uni.exe	34
PID 1952 wrote to memory of 2480	1952	Uni.exe	34
PID 1952 wrote to memory of 2480	1952	Uni.exe	34

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2672
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2488
- C:\Windows\SysWOW64\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
409KB

MD5
28a90307277122011920de004e149e2c

SHA1
0c3bc0d9338ce9129833d7bb8b3b6ebf41ef4a39

SHA256
5b584418db5a9302834272560b076a26ae5c882e253dd23d9c603bcdf4e235e7

SHA512
6c24cb5886c67a2c58219bfccb0816c136ba2d4d44792c40ca8482499974e2a9abd285af63a08d983aaaef2f7ab988a150a17bbecc903a109a8effee21092276

Download Submit
memory/1952-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/1952-1-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/1952-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1952-14-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-10-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-12-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-11-0x00000000011F0000-0x000000000125C000-memory.dmp

Filesize
432KB

Download
memory/2660-15-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-16-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads