quasar | 375f99f85beb8bc69029429b3c5317543957ffa7ba559da6fd4b930ce48bfc7c

General

Target

index.exe
Size

36.2MB
MD5

aa55396d7df072973d0ea88ec505579d
SHA1

8a9b057a859cee6ca3053dc0ef05089bbf2ac4ab
SHA256

375f99f85beb8bc69029429b3c5317543957ffa7ba559da6fd4b930ce48bfc7c
SHA512

969b634ed5aa5075b9b48ebabcf0e9093c530578ec292e67582db16f84437f4a2823130e354b0054f909ec361b145dc4236b57a9991d4974738924f44e06a2ff
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfG:fMguj8Q4VfvvqFTrYmi

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

147.185.221.20:47638

Mutex

$Sxr-GV6wZsGZZMeZ3qfenc

Attributes

encryption_key
pCYwpdVg3UP8ZY0FIEl9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Anti-Malware Disable Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000002326f-2.dat	family_quasar

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1384	powershell.exe
1384	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	powershell.exe
Token: 33	3360	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3360	AUDIODG.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 216	4680	index.exe	84
PID 4680 wrote to memory of 216	4680	index.exe	84
PID 4680 wrote to memory of 4704	4680	index.exe	85
PID 4680 wrote to memory of 4704	4680	index.exe	85
PID 216 wrote to memory of 1384	216	cmd.exe	86
PID 216 wrote to memory of 1384	216	cmd.exe	86
PID 1384 wrote to memory of 4032	1384	powershell.exe	88
PID 1384 wrote to memory of 4032	1384	powershell.exe	88
PID 4032 wrote to memory of 2560	4032	csc.exe	89
PID 4032 wrote to memory of 2560	4032	csc.exe	89

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\system32\cmd.exe
  cmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\thdpe5bx\thdpe5bx.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES565D.tmp" "c:\Users\Admin\AppData\Local\Temp\thdpe5bx\CSC4EA3441965E94BA4867650D99A4F26.TMP"
        5⤵
        
        PID:2560
- C:\Windows\system32\cmd.exe
  cmd.exe /C call C:\Users\Admin\AppData\Local\Temp\89435a09aea852638faa0bf902e7b347.bat
  2⤵
  PID:4704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89435a09aea852638faa0bf902e7b347.bat

Filesize
409KB

MD5
ef652484dc356b0bc87741f24f2ade24

SHA1
f988ef8700c1ed15fa42f9a5756471d6bc18c9c8

SHA256
e5e973ff9fe9b009638fc6f8e3b10ca9acad76d2c6cf887f82b018e5a39aa225

SHA512
fae5a830fc64a0599686368ca0d3826e4ada1ec383f6faae19054d61bee285442b7471c8f18faf4d378ea025128cab974c50a0cd8f8daf892c6107d812662fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES565D.tmp

Filesize
1KB

MD5
36565a49aa86928a0a7589e01bde7694

SHA1
f6f7c6b23db487402b0111af6b363a5b60d6bc1c

SHA256
cdf0f82ac2165dff9f754e37310113484b1e29174dbcdfaf036824e1f238d8c0

SHA512
6457ca32510b0eae3e41ef03ad60c4ded5d7fba55a3bf5ba78731b03c3ae0938c1b74297dea4e7f906491b453bfc09d07c6e0d598974d83818628f776deb8d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhvywkyq.gws.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\thdpe5bx\thdpe5bx.dll

Filesize
3KB

MD5
d3fcdaa6ffaf5b90570cd504f36f2c3a

SHA1
c5d86291b33d001d559712e5c72db37ee8c380d3

SHA256
a66587cbdd50e89cd222b4ffdeab17ee6b99f5a8dc7948c05c6199ac734e96ab

SHA512
ae7d9afbc88453aa1701475a2cb2a961cf68193f7f8be0ceb62215f85500b1b5f537a2536efac2fceb217350b9fd55f109a317c64046bfd54608d16f004df9c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\thdpe5bx\CSC4EA3441965E94BA4867650D99A4F26.TMP

Filesize
652B

MD5
7e359fb9a164de91e956fe50dcf92cae

SHA1
ed13de2b88fd068d7a8fd36fd466e9adc1fd243a

SHA256
d827197738109e557bcfde8f5bbb9f91b2301d6e240d17d526d0a5b10c298a76

SHA512
e1b7fa84ad99e14e0830ec719ece1d8c4abac161ac137912602b8b72339bf9ea136266fb859008df4b7d9e4d1ca64ef28a4a25ba3f5f07d864cd4cb9a1e2a46f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\thdpe5bx\thdpe5bx.0.cs

Filesize
737B

MD5
3d57f8f44297464baafa6aeecd3bf4bc

SHA1
f370b4b9f8dba01fbcad979bd663d341f358a509

SHA256
415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1

SHA512
4052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\thdpe5bx\thdpe5bx.cmdline

Filesize
369B

MD5
815c2c17e786f87db904b9b8d160419f

SHA1
bb9f24061b86fa32b7974fd0ba8a74611164701d

SHA256
b3e7c09dcb9ccd523b86f47b0b466764318a4cf623dc6cf12558817c32804d06

SHA512
78dd6c8a831bce184d407cc4f081f1666a0b411aa176c910cfc55d1f7cbb491936ee69fadc7c8f4449388c2269d734edd63f5d7a1f52ac4df6cb3cd3f06f9eb2

Download Submit
memory/1384-15-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

Filesize
10.8MB

Download
memory/1384-14-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

Filesize
10.8MB

Download
memory/1384-13-0x0000019DB3E90000-0x0000019DB3EB2000-memory.dmp

Filesize
136KB

Download
memory/1384-28-0x0000019D9B810000-0x0000019D9B818000-memory.dmp

Filesize
32KB

Download
memory/1384-3-0x00007FFE444A3000-0x00007FFE444A5000-memory.dmp

Filesize
8KB

Download
memory/1384-32-0x0000019DB3B70000-0x0000019DB3D8C000-memory.dmp

Filesize
2.1MB

Download
memory/1384-33-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing