quasar | c8a496dcf94d5d246dec0747f139957709b63412f48d9a1591ca5e771a988636

Analysis

max time kernel
279s
max time network
292s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CHOCORAT.exe
Size

690KB
MD5

01eb0af08528a0ea0e9497a3b6152e06
SHA1

0ccc8c1d222c5b3975844155edebc34136704dbe
SHA256

576e11eee6d61199ea29fbb0106867913c2e4f22822eb3806df3076ebd15f7d6
SHA512

e30511c2c8fad9cb39ff43c6021ca8b0136c27bf1b0c08d5dad2b37e5268373b371a2965cab9cd86530a41862988b21aa28fc28ed201bf07c95012c5121f976c
SSDEEP

6144:CaaXMzUmOZoq2ZeiOwAbPQiMtCNeI8MyllmjbO:Rachq1wcQPtzM6snO

Score

10^/10

quasar persistence spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1892-1-0x00000000002B0000-0x0000000000362000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\wininit.exe	family_quasar
behavioral2/memory/2516-10-0x0000000000B30000-0x0000000000BE2000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

wininit.exe

pid process

2516 wininit.exe
Loads dropped DLL 1 IoCs

Processes:

CHOCORAT.exe

pid process

1892 CHOCORAT.exe

pid	process
2516	wininit.exe

pid	process
1892	CHOCORAT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CHOCORAT.exewininit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Initalizer = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHOCORAT.exe\""	CHOCORAT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Initalizer = "\"C:\\Users\\Admin\\AppData\\Roaming\\wininit.exe\""	wininit.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CHOCORAT.exewininit.exe

description pid process

Token: SeDebugPrivilege 1892 CHOCORAT.exe
Token: SeDebugPrivilege 2516 wininit.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wininit.exe

pid process

2516 wininit.exe

flow	ioc
8	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	1892	CHOCORAT.exe
Token: SeDebugPrivilege	2516	wininit.exe

pid	process
2516	wininit.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

CHOCORAT.exe

description	pid	process	target process
PID 1892 wrote to memory of 2516	1892	CHOCORAT.exe	wininit.exe
PID 1892 wrote to memory of 2516	1892	CHOCORAT.exe	wininit.exe
PID 1892 wrote to memory of 2516	1892	CHOCORAT.exe	wininit.exe
PID 1892 wrote to memory of 2516	1892	CHOCORAT.exe	wininit.exe

C:\Users\Admin\AppData\Local\Temp\CHOCORAT.exe
"C:\Users\Admin\AppData\Local\Temp\CHOCORAT.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Roaming\wininit.exe
"C:\Users\Admin\AppData\Roaming\wininit.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\wininit.exe
Filesize
690KB

MD5
01eb0af08528a0ea0e9497a3b6152e06

SHA1
0ccc8c1d222c5b3975844155edebc34136704dbe

SHA256
576e11eee6d61199ea29fbb0106867913c2e4f22822eb3806df3076ebd15f7d6

SHA512
e30511c2c8fad9cb39ff43c6021ca8b0136c27bf1b0c08d5dad2b37e5268373b371a2965cab9cd86530a41862988b21aa28fc28ed201bf07c95012c5121f976c

Download Submit
memory/1892-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/1892-1-0x00000000002B0000-0x0000000000362000-memory.dmp

Filesize
712KB

Download
memory/1892-2-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-12-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-10-0x0000000000B30000-0x0000000000BE2000-memory.dmp

Filesize
712KB

Download
memory/2516-11-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-13-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-15-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download