quasar | 74a9841b730fbf433d0211236e50edd1d16cd13b673327e2c120c8aa226157c2

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 13:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AV FIXER.exe
Size

3.1MB
MD5

29c618fbaa5fa24da18b48a2306721b9
SHA1

f190122676be18afa49451f2dc8b8449465688f2
SHA256

74a9841b730fbf433d0211236e50edd1d16cd13b673327e2c120c8aa226157c2
SHA512

ae7a808e561c639f14a5c1ab2081f652a94d27c5780c40dc388575a0dc014f7d24fb70090e2f3b833d76397b5b36e150ffd62f982e3d827da0b0ec9056ef94c1
SSDEEP

49152:bv5uf2NUaNmwzPWlvdaKM7ZxTwCwhi3Bxm3oGdJmTHHB72eh2NT:bvUf2NUaNmwzPWlvdaB7ZxTw3ii5

Score

10^/10

quasar av fixer spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

AV FIXER

192.168.0.120:4782

192.168.0.120:4781

90.221.139.200:4781

Mutex

f6eba3c7-0450-46fd-9e50-73b69dec25b9

Attributes

encryption_key
F8FE1BE15C2DA60FFAB39E3418D9330FC7991F1C
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Epic Games
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4052-1-0x0000000000590000-0x00000000008B4000-memory.dmp	family_quasar
behavioral2/files/0x000300000002a9d4-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2228	Client.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	AV FIXER.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	AV FIXER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	AV FIXER.exe
Token: SeDebugPrivilege	2228	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2228	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2228	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2228	Client.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2228	4052	AV FIXER.exe	82
PID 4052 wrote to memory of 2228	4052	AV FIXER.exe	82

C:\Users\Admin\AppData\Local\Temp\AV FIXER.exe
"C:\Users\Admin\AppData\Local\Temp\AV FIXER.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
29c618fbaa5fa24da18b48a2306721b9

SHA1
f190122676be18afa49451f2dc8b8449465688f2

SHA256
74a9841b730fbf433d0211236e50edd1d16cd13b673327e2c120c8aa226157c2

SHA512
ae7a808e561c639f14a5c1ab2081f652a94d27c5780c40dc388575a0dc014f7d24fb70090e2f3b833d76397b5b36e150ffd62f982e3d827da0b0ec9056ef94c1

Download Submit
memory/2228-8-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/2228-10-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/2228-11-0x000000001C4D0000-0x000000001C520000-memory.dmp

Filesize
320KB

Download
memory/2228-12-0x000000001C5E0000-0x000000001C692000-memory.dmp

Filesize
712KB

Download
memory/2228-13-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/4052-0-0x00007FFD6B683000-0x00007FFD6B685000-memory.dmp

Filesize
8KB

Download
memory/4052-1-0x0000000000590000-0x00000000008B4000-memory.dmp

Filesize
3.1MB

Download
memory/4052-2-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/4052-9-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download