quasar | 76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f

General

Target

76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe
Size

476KB
MD5

da604719663cbe3104a8e962b6e0c1a4
SHA1

e0ce2c871f1d20623c328fb16d7adbb4277f011f
SHA256

76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f
SHA512

847c1916b35f53a0c5d7afd9770863ed3789eb2468cb3dfdc343e8c61baacbd4679d676c8de79ebe72d38c905922d2f2a958603cd53bc921aece803d9823a287
SSDEEP

12288:c3ONTjM4IvtoL1F3Q+9V/xj3CwZQ57YkQ9tnApd:oONjn1djxr5Q57Ykqt

Score

10^/10

quasar winrar execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

winrar

C2

winrar.ydns.eu:4782

Mutex

bCniKUdDhgLnMojfQG

Attributes

encryption_key
XNz8aG8ZYhW5neohUxbc
install_name
Caspol.exe
log_directory
Logs
reconnect_delay
3000
startup_key
AppLaunch
subdirectory
MonitorWindows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1872-32-0x000000001AC90000-0x000000001ACDE000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
1064	powershell.exe
2004	powershell.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
576	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

taskhostw.exe

pid	Process
1872	taskhostw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2228	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
1064	powershell.exe
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exevssvc.exepowershell.exepowershell.exetaskhostw.exe

description	pid	Process
Token: SeDebugPrivilege	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1872	taskhostw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

taskhostw.exe

pid	Process
1872	taskhostw.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.execmd.exetaskeng.exe

description	pid	Process	procid_target
PID 1088 wrote to memory of 1064	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	35
PID 1088 wrote to memory of 1064	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	35
PID 1088 wrote to memory of 1064	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	35
PID 1088 wrote to memory of 2004	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	37
PID 1088 wrote to memory of 2004	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	37
PID 1088 wrote to memory of 2004	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	37
PID 1088 wrote to memory of 576	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	40
PID 1088 wrote to memory of 576	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	40
PID 1088 wrote to memory of 576	1088	76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe	40
PID 576 wrote to memory of 2228	576	cmd.exe	42
PID 576 wrote to memory of 2228	576	cmd.exe	42
PID 576 wrote to memory of 2228	576	cmd.exe	42
PID 3016 wrote to memory of 1872	3016	taskeng.exe	43
PID 3016 wrote to memory of 1872	3016	taskeng.exe	43
PID 3016 wrote to memory of 1872	3016	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe
"C:\Users\Admin\AppData\Local\Temp\76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3FCE.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {AD4F7FBD-7AB2-49F7-AB06-11155BA86421} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
  C:\Users\Admin\AppData\Local\Temp\taskhostw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\taskhostw.exe

Filesize
476KB

MD5
da604719663cbe3104a8e962b6e0c1a4

SHA1
e0ce2c871f1d20623c328fb16d7adbb4277f011f

SHA256
76633ce92246c62bb3df63286aa65e0efb5e6e4bc5bb5f5cf3bdbbc6514c988f

SHA512
847c1916b35f53a0c5d7afd9770863ed3789eb2468cb3dfdc343e8c61baacbd4679d676c8de79ebe72d38c905922d2f2a958603cd53bc921aece803d9823a287

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3FCE.tmp.bat

Filesize
216B

MD5
b225a5c236c9ce9628eb413f653d7685

SHA1
e71e9c91b845c0d1038adfb85208ef80718875b8

SHA256
ba7940c5e392d904c0d189b93e0656b0dde571cf0fc58a02a2901df285cd4e27

SHA512
5344a2cb6db7da4c687c9f77e7a59f7f777bf63dfa9b0e40653420204346b68ac75c412b45221340f7662c76b4e130b780f81211bed7a69e9fd8e67e42b9bb45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b35f5748f616321b2c8e9c60780a902f

SHA1
b1fb5bfc07709fd2395e48b7792c4d2358ff39a3

SHA256
99d2374e792471b267d934c2161e6988c2f7d465ba1a7b4e15313b51a972879e

SHA512
034151312b1e287915b49fe703008b54a5a3962156f8ff8c7f5a977373c6fd28d9a71e622a67e0acf0dcbd19e3f3550ea84fea01455c90451bbd2a71ddc60f72

Download Submit
memory/1064-7-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1064-8-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1088-26-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/1088-2-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/1088-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/1088-1-0x0000000000200000-0x000000000027E000-memory.dmp

Filesize
504KB

Download
memory/1088-31-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-30-0x0000000000FD0000-0x000000000104E000-memory.dmp

Filesize
504KB

Download
memory/1872-32-0x000000001AC90000-0x000000001ACDE000-memory.dmp

Filesize
312KB

Download
memory/2004-14-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2004-15-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads