quasar | 719a7b316bfd202755b62a1a832ec1ef53a731dfa7e046d0cc92a797e414450f

General

Target

$77-Client.exe
Size

3.1MB
MD5

acc9e9d547efe13b2b0be13cb14aa721
SHA1

0a859b612ab726e7de353fe25ea862b38d23401f
SHA256

719a7b316bfd202755b62a1a832ec1ef53a731dfa7e046d0cc92a797e414450f
SHA512

e2225f526057068e6eb2c284c9e4429fd819923e52f9f8275a743feb5bb9c8519287cd3ce698761b717df6e3c870b21ff2a1eb2a61e29438d3d6f55e14588084
SSDEEP

49152:2vBt62XlaSFNWPjljiFa2RoUYI8ZCq1J0LoGd+1THHB72eh2NT:2vr62XlaSFNWPjljiFXRoUYIiCn

Score

10^/10

quasar slave discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

147.185.221.20:49485

Mutex

725e8cd4-7df0-4c5f-8cad-7f42a47ec93d

Attributes

encryption_key
8A741B205625DDE1631E142A4F37B4EFE8EC3980
install_name
$77-Client.exe
log_directory
$77-Logs
reconnect_delay
3000
startup_key
$77-Client
subdirectory
$77-SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/2752-1-0x0000000000D60000-0x0000000001084000-memory.dmp	family_quasar
behavioral1/files/0x000800000001ac1c-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4728	$77-Client.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\$77-SubDir\$77-Client.exe	$77-Client.exe
File opened for modification	C:\Windows\system32\$77-SubDir\$77-Client.exe	$77-Client.exe
File opened for modification	C:\Windows\system32\$77-SubDir	$77-Client.exe
File opened for modification	C:\Windows\system32\$77-SubDir\$77-Client.exe	$77-Client.exe
File opened for modification	C:\Windows\system32\$77-SubDir	$77-Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5088	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	$77-Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$77-Client.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5088	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe
3952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	$77-Client.exe
Token: SeDebugPrivilege	4728	$77-Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4728	$77-Client.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2688	2752	$77-Client.exe	74
PID 2752 wrote to memory of 2688	2752	$77-Client.exe	74
PID 2752 wrote to memory of 4728	2752	$77-Client.exe	76
PID 2752 wrote to memory of 4728	2752	$77-Client.exe	76
PID 4728 wrote to memory of 3952	4728	$77-Client.exe	77
PID 4728 wrote to memory of 3952	4728	$77-Client.exe	77
PID 4728 wrote to memory of 3316	4728	$77-Client.exe	80
PID 4728 wrote to memory of 3316	4728	$77-Client.exe	80
PID 4728 wrote to memory of 3016	4728	$77-Client.exe	82
PID 4728 wrote to memory of 3016	4728	$77-Client.exe	82
PID 3016 wrote to memory of 4412	3016	cmd.exe	84
PID 3016 wrote to memory of 4412	3016	cmd.exe	84
PID 3016 wrote to memory of 5088	3016	cmd.exe	85
PID 3016 wrote to memory of 5088	3016	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\$77-Client.exe
"C:\Users\Admin\AppData\Local\Temp\$77-Client.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "$77-Client" /sc ONLOGON /tr "C:\Windows\system32\$77-SubDir\$77-Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2688
- C:\Windows\system32\$77-SubDir\$77-Client.exe
  "C:\Windows\system32\$77-SubDir\$77-Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "$77-Client" /sc ONLOGON /tr "C:\Windows\system32\$77-SubDir\$77-Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3952
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "$77-Client" /f
    3⤵
    PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4xqqqBp4k4I.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4412
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-Client.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4xqqqBp4k4I.bat

Filesize
208B

MD5
3b8ee8b4ac15248a92b611464ec690cc

SHA1
e677e0504b6816bf0e34a32719243b8b81ef2806

SHA256
0b4363533bd4ccb44d6c209d973c43114fcc2eafcfe718ed611345a41b723120

SHA512
33765668f13cde8e4f326683b8c272862490723d416c132a4d9d90b6da11b9948d59d87a695a8cd4f3e4fc4d211f90906eb2730d385a1b9076db637652645d1b

Download Submit
C:\Windows\System32\$77-SubDir\$77-Client.exe

Filesize
3.1MB

MD5
acc9e9d547efe13b2b0be13cb14aa721

SHA1
0a859b612ab726e7de353fe25ea862b38d23401f

SHA256
719a7b316bfd202755b62a1a832ec1ef53a731dfa7e046d0cc92a797e414450f

SHA512
e2225f526057068e6eb2c284c9e4429fd819923e52f9f8275a743feb5bb9c8519287cd3ce698761b717df6e3c870b21ff2a1eb2a61e29438d3d6f55e14588084

Download Submit
memory/2752-1-0x0000000000D60000-0x0000000001084000-memory.dmp

Filesize
3.1MB

Download
memory/2752-2-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-10-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-0-0x00007FF8747A3000-0x00007FF8747A4000-memory.dmp

Filesize
4KB

Download
memory/4728-11-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-13-0x000000001C4F0000-0x000000001C5A2000-memory.dmp

Filesize
712KB

Download
memory/4728-16-0x000000001C490000-0x000000001C4A2000-memory.dmp

Filesize
72KB

Download
memory/4728-17-0x000000001CFE0000-0x000000001D01E000-memory.dmp

Filesize
248KB

Download
memory/4728-18-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-12-0x000000001C3E0000-0x000000001C430000-memory.dmp

Filesize
320KB

Download
memory/4728-23-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download
memory/4728-9-0x00007FF8747A0000-0x00007FF87518C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads