quasar | 7d21bbbcb3e0f709dd351c1edc4d52efae8da0edf341121c17a6cfb1a9ecc7b2

General

Target

4ebd63449193b8fdbd0c0315f8e33e10N.exe
Size

2.9MB
MD5

4ebd63449193b8fdbd0c0315f8e33e10
SHA1

31d7b7aee638dfdbfb2e2f009d27ad30637f5953
SHA256

7d21bbbcb3e0f709dd351c1edc4d52efae8da0edf341121c17a6cfb1a9ecc7b2
SHA512

354555aa35ebb991302e12c36d1698646d7fcbbad8b6e77eda7255a0c7db4447c2d9bfb8a5669d1e93ba76f14624934646bcb2517c7a45a6ce051519371cf3e8
SSDEEP

49152:yPXGSVuFey6JK1TGcbEtiAobDv4Rza32ehyfT:yPXdw6JkTGcbEEA

Score

10^/10

quasar proxy spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Proxy

C2

45.66.231.154:45764

Mutex

80038a66-0dbb-4135-8eb1-4ce5a34ce41b

Attributes

encryption_key
2AA07B1B146EEAF9933214208B2004177FE4FA46
install_name
svchost.exe
log_directory
svchostetw
reconnect_delay
3000
startup_key
svchost
subdirectory
Microsoft Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2632-8-0x0000000000F00000-0x00000000011EA000-memory.dmp	family_quasar
behavioral1/files/0x000b00000001866c-6.dat	family_quasar
behavioral1/memory/656-1-0x0000000001230000-0x000000000151A000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2632	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2644	schtasks.exe
2564	schtasks.exe
2560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe
Token: SeDebugPrivilege	2632	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2632	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 2560	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	29
PID 656 wrote to memory of 2560	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	29
PID 656 wrote to memory of 2560	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	29
PID 656 wrote to memory of 2564	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	31
PID 656 wrote to memory of 2564	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	31
PID 656 wrote to memory of 2564	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	31
PID 656 wrote to memory of 2632	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	33
PID 656 wrote to memory of 2632	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	33
PID 656 wrote to memory of 2632	656	4ebd63449193b8fdbd0c0315f8e33e10N.exe	33
PID 2632 wrote to memory of 2644	2632	svchost.exe	34
PID 2632 wrote to memory of 2644	2632	svchost.exe	34
PID 2632 wrote to memory of 2644	2632	svchost.exe	34
PID 2632 wrote to memory of 2652	2632	svchost.exe	36
PID 2632 wrote to memory of 2652	2632	svchost.exe	36
PID 2632 wrote to memory of 2652	2632	svchost.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ebd63449193b8fdbd0c0315f8e33e10N.exe
"C:\Users\Admin\AppData\Local\Temp\4ebd63449193b8fdbd0c0315f8e33e10N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /SC MINUTE /MO 1 /TN "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\4ebd63449193b8fdbd0c0315f8e33e10N.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2560
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4ebd63449193b8fdbd0c0315f8e33e10N.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2564
- C:\Users\Admin\AppData\Roaming\Microsoft Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft Windows\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /SC MINUTE /MO 1 /TN "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft Windows\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2644
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft Windows\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft Windows\svchost.exe

Filesize
2.9MB

MD5
4ebd63449193b8fdbd0c0315f8e33e10

SHA1
31d7b7aee638dfdbfb2e2f009d27ad30637f5953

SHA256
7d21bbbcb3e0f709dd351c1edc4d52efae8da0edf341121c17a6cfb1a9ecc7b2

SHA512
354555aa35ebb991302e12c36d1698646d7fcbbad8b6e77eda7255a0c7db4447c2d9bfb8a5669d1e93ba76f14624934646bcb2517c7a45a6ce051519371cf3e8

Download Submit
memory/656-7-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/656-2-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/656-1-0x0000000001230000-0x000000000151A000-memory.dmp

Filesize
2.9MB

Download
memory/656-0-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

Filesize
4KB

Download
memory/2632-9-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-8-0x0000000000F00000-0x00000000011EA000-memory.dmp

Filesize
2.9MB

Download
memory/2632-10-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-11-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-12-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads