quasar | 583dec28f988dba9a35801b8dc3c0ce3741909aaf6e3ea31e5d823659e43209f

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShcLoader.exe
Size

3.2MB
MD5

5035c5a044bc9d4a912d54b9d3342082
SHA1

25714bbf1aaea6c0d1ff128ef3d2ad5095da63a3
SHA256

583dec28f988dba9a35801b8dc3c0ce3741909aaf6e3ea31e5d823659e43209f
SHA512

df1cc57366a31dc1dac97f2f3194ebfca5c9329c4ecc27fe4a33efdfeb244d479ff2a2ff07e4e9dfdfe00a0b8b4eed3a45155bd1b62276007d9e61d933e3f78f
SSDEEP

98304:PDk4gOxkBVHpKEYWJMTER11yJKwFWMbeIc:PDng1V2WOg/MKws+e/

Score

10^/10

quasar client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Client

x0p-52599.portmap.host:52599

Mutex

1e8d1992-25ef-4495-bdc8-388b816e4b2b

Attributes

encryption_key
6CCE3B8C0D5A5CF28100953354AB7774A28FB355
install_name
Client.exe
log_directory
$xor-logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3600-2-0x000001B4F0D80000-0x000001B4F10A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ShcLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
716	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
716	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	ShcLoader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3600	ShcLoader.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4932	3600	ShcLoader.exe	98
PID 3600 wrote to memory of 4932	3600	ShcLoader.exe	98
PID 4932 wrote to memory of 1612	4932	cmd.exe	100
PID 4932 wrote to memory of 1612	4932	cmd.exe	100
PID 4932 wrote to memory of 716	4932	cmd.exe	101
PID 4932 wrote to memory of 716	4932	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\ShcLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ShcLoader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KrMBu9Pd3vv6.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1612
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KrMBu9Pd3vv6.bat

Filesize
210B

MD5
80a3ed6bdb48fefdbab6ed2c6e82e691

SHA1
e34eaa8b89cfe7d2b8d1a592b870ba6f818bffe4

SHA256
f01ba02bd0f4110071b2860704a438f26138dc5ce7600e6a45dacbc80139a013

SHA512
67b39ed7a6b714066338323d1700996aff09189f2141d0d9a0baba4d09383a64cf6a0d0c92d7935f09b6c19bbf8d08d9c05ffbf5d7a6050c76b224c4ab8c4e38

Download Submit
memory/3600-8-0x000001B4F0C30000-0x000001B4F0CE2000-memory.dmp

Filesize
712KB

Download
memory/3600-11-0x000001B4D8170000-0x000001B4D8182000-memory.dmp

Filesize
72KB

Download
memory/3600-3-0x00007FFB762F0000-0x00007FFB76DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-4-0x00007FFB762F0000-0x00007FFB76DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-5-0x00007FFB762F0000-0x00007FFB76DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-6-0x00007FFB762F0000-0x00007FFB76DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-2-0x000001B4F0D80000-0x000001B4F10A4000-memory.dmp

Filesize
3.1MB

Download
memory/3600-0-0x000001B4D6000000-0x000001B4D6326000-memory.dmp

Filesize
3.1MB

Download
memory/3600-7-0x000001B4D81A0000-0x000001B4D81F0000-memory.dmp

Filesize
320KB

Download
memory/3600-12-0x000001B4F0A00000-0x000001B4F0A3C000-memory.dmp

Filesize
240KB

Download
memory/3600-13-0x00007FFB762F3000-0x00007FFB762F5000-memory.dmp

Filesize
8KB

Download
memory/3600-14-0x00007FFB762F0000-0x00007FFB76DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-15-0x00007FFB762F0000-0x00007FFB76DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-1-0x00007FFB762F3000-0x00007FFB762F5000-memory.dmp

Filesize
8KB

Download
memory/3600-21-0x00007FFB762F0000-0x00007FFB76DB1000-memory.dmp

Filesize
10.8MB

Download