quasar | 1731919d2dc81ad27833aaaf162c923c8c0e9ec12f0517c7db0409b74e9550c6

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zvgfd-main/Empyrean Removal Tool .exe
Size

495KB
MD5

0858df720da731fb05cfa980134fa639
SHA1

0e5e7bf34494892b20e2ed62cea218ada919361d
SHA256

4af251cefa5fbdfb07cff0be7ba01cd6f525099949dac28b5780876a4942d810
SHA512

c2f06ec22f57876b4ed168536bba76b7121962bb752d2a244eea3a37b68044837bf4263b5e3812a4ec1cf5b235653b3f389bbeefef89f609ae5af0eb1e847eb9
SSDEEP

12288:r6iLGC/KU7T+q1/t5moY4MHJgOvK2xqTCzqkfuxHn:rDVyWT+Y/t0oY4MKiK20T8fux

Score

10^/10

quasar xworm slave execution rat spyware trojan

Malware Config

Extracted

Family

xworm

super-nearest.gl.at.ply.gg:17835

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
JAfppY5sR1LcDCf00ZQ4
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen Client Startup
subdirectory
$sxr~SubDir

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral9/files/0x0006000000014a29-5.dat	family_xworm
behavioral9/memory/1580-8-0x0000000001220000-0x0000000001238000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral9/files/0x0006000000015bb5-13.dat	family_quasar
behavioral9/memory/2288-14-0x0000000001390000-0x00000000013FC000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2876	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1580	Fanta.Live.exe
2288	Uni.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2576	powershell.exe
2876	powershell.exe
1580	Fanta.Live.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	Uni.exe
Token: SeDebugPrivilege	1580	Fanta.Live.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1580	Fanta.Live.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1580	Fanta.Live.exe
2288	Uni.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 1580	568	Empyrean Removal Tool .exe	28
PID 568 wrote to memory of 1580	568	Empyrean Removal Tool .exe	28
PID 568 wrote to memory of 1580	568	Empyrean Removal Tool .exe	28
PID 568 wrote to memory of 2288	568	Empyrean Removal Tool .exe	29
PID 568 wrote to memory of 2288	568	Empyrean Removal Tool .exe	29
PID 568 wrote to memory of 2288	568	Empyrean Removal Tool .exe	29
PID 568 wrote to memory of 2288	568	Empyrean Removal Tool .exe	29
PID 568 wrote to memory of 2288	568	Empyrean Removal Tool .exe	29
PID 568 wrote to memory of 2288	568	Empyrean Removal Tool .exe	29
PID 568 wrote to memory of 2288	568	Empyrean Removal Tool .exe	29
PID 2288 wrote to memory of 2544	2288	Uni.exe	31
PID 2288 wrote to memory of 2544	2288	Uni.exe	31
PID 2288 wrote to memory of 2544	2288	Uni.exe	31
PID 2288 wrote to memory of 2544	2288	Uni.exe	31
PID 1580 wrote to memory of 2576	1580	Fanta.Live.exe	33
PID 1580 wrote to memory of 2576	1580	Fanta.Live.exe	33
PID 1580 wrote to memory of 2576	1580	Fanta.Live.exe	33
PID 1580 wrote to memory of 2876	1580	Fanta.Live.exe	35
PID 1580 wrote to memory of 2876	1580	Fanta.Live.exe	35
PID 1580 wrote to memory of 2876	1580	Fanta.Live.exe	35

C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool .exe
"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool .exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Fanta.Live.exe
  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Fanta.Live.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Fanta.Live.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Fanta.Live.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Uni.exe
  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Uni.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "SeroXen Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Uni.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Fanta.Live.exe

Filesize
73KB

MD5
60d0b57571b43d98f5993066eb083637

SHA1
b84391c08557b919e385939b9acdd8df768a3e6a

SHA256
6947c0946505af848a175127bc08d77a2ed846c7b94a79d3c27881725cebf2ef

SHA512
32d3f9c226e9951399381317441c8768b02556082488ec5be18e2e08daf33144e4cee8536eddbb9ea0a0dcd75495d1cb4cc047e49195fe2092852e9d20d64796

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Uni.exe

Filesize
409KB

MD5
a761927744e8ef30e04beefb644cd272

SHA1
8450c00f1141399d75c87de08f6b29837c148232

SHA256
08d3de9382225ce31ada8470f003dfa68789a6bb857bf3adc67d80d7a93018f9

SHA512
98775f9e55bfb66944ef315feadbdb60a7be80e2d00bf4f1f944b341515bae2f4f0b115145b78c6a6026550a8646933c9ec49d7e4161810ef69dc4d2875ea4e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XT5GXFSLI0LV9ME9IMD0.temp

Filesize
7KB

MD5
58005fc07d2be591e7d0cf1b7bad6edb

SHA1
652f72df6b951bc2ae808c816394c29bce57f2b6

SHA256
0c9a7a1c936acadb714e27f3dd0786d30bd9923c37918776d8112c28ba94142a

SHA512
b14ab51d7c3bca878b0a441ea7b4e8f348faa50d7809f80d1058f0376970445e2f3799c601e39f1f0c5a0b1be05983116addd498d9e0d266827dc112e2b6fc0b

Download Submit
memory/568-0-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

Filesize
4KB

Download
memory/568-1-0x00000000013A0000-0x0000000001422000-memory.dmp

Filesize
520KB

Download
memory/1580-8-0x0000000001220000-0x0000000001238000-memory.dmp

Filesize
96KB

Download
memory/1580-16-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/1580-15-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/1580-31-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/1580-32-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-14-0x0000000001390000-0x00000000013FC000-memory.dmp

Filesize
432KB

Download
memory/2576-22-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2576-21-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2876-29-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2876-28-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download