quasar | a9900a2399e587ed3ff5e60f06d042a5c6b340860f662b8716994d31775b5fe4

General

Target

TrixSMP-2.5.2.exe
Size

3.2MB
MD5

9fcc6a986059b5b536e1d9a024d98437
SHA1

362efdff4d397b27465effecd5cc46cc75ba4252
SHA256

a9900a2399e587ed3ff5e60f06d042a5c6b340860f662b8716994d31775b5fe4
SHA512

957c35d730f239e45d6b8080b90a021a14cb9a2e650299c8220233db52e4794839c87955ae0660dd5284f1c2fefa6ef3aa0d848fee13c3c8318d8616c2347936
SSDEEP

49152:KvwG42pda6D+/PjlLOlg6yQipVrchNmzf3oGd+BTHHB72eh2NTVmd:Kvz42pda6D+/PjlLOlZyQipVrchGXmd

Score

10^/10

quasar hakai spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

hakai

C2

hakai44-57264.portmap.io:57264

hakai44-57264.portmap.io:7000

Mutex

ebb287ed-cec7-4c1a-bd01-c9a44d3e16eb

Attributes

encryption_key
EA64A0D4FF8902AE6D948D3F1F4FE3A6BD4AAB3A
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2404-1-0x0000000001130000-0x000000000145E000-memory.dmp	family_quasar
behavioral1/files/0x00070000000186ee-6.dat	family_quasar
behavioral1/memory/2304-9-0x0000000001170000-0x000000000149E000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
2304	Client.exe

Drops file in Program Files directory 5 IoCs

Processes:

TrixSMP-2.5.2.exeClient.exe

description	ioc	Process
File created	C:\Program Files\SubDir\Client.exe	TrixSMP-2.5.2.exe
File opened for modification	C:\Program Files\SubDir\Client.exe	TrixSMP-2.5.2.exe
File opened for modification	C:\Program Files\SubDir	TrixSMP-2.5.2.exe
File opened for modification	C:\Program Files\SubDir\Client.exe	Client.exe
File opened for modification	C:\Program Files\SubDir	Client.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
1992	schtasks.exe
2184	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TrixSMP-2.5.2.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	2404	TrixSMP-2.5.2.exe
Token: SeDebugPrivilege	2304	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Client.exe

pid	Process
2304	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client.exe

pid	Process
2304	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
2304	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

TrixSMP-2.5.2.exeClient.exe

description	pid	Process	procid_target
PID 2404 wrote to memory of 1992	2404	TrixSMP-2.5.2.exe	30
PID 2404 wrote to memory of 1992	2404	TrixSMP-2.5.2.exe	30
PID 2404 wrote to memory of 1992	2404	TrixSMP-2.5.2.exe	30
PID 2404 wrote to memory of 2304	2404	TrixSMP-2.5.2.exe	32
PID 2404 wrote to memory of 2304	2404	TrixSMP-2.5.2.exe	32
PID 2404 wrote to memory of 2304	2404	TrixSMP-2.5.2.exe	32
PID 2304 wrote to memory of 2184	2304	Client.exe	33
PID 2304 wrote to memory of 2184	2304	Client.exe	33
PID 2304 wrote to memory of 2184	2304	Client.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TrixSMP-2.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\TrixSMP-2.5.2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1992
- C:\Program Files\SubDir\Client.exe
  "C:\Program Files\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SubDir\Client.exe

Filesize
3.2MB

MD5
9fcc6a986059b5b536e1d9a024d98437

SHA1
362efdff4d397b27465effecd5cc46cc75ba4252

SHA256
a9900a2399e587ed3ff5e60f06d042a5c6b340860f662b8716994d31775b5fe4

SHA512
957c35d730f239e45d6b8080b90a021a14cb9a2e650299c8220233db52e4794839c87955ae0660dd5284f1c2fefa6ef3aa0d848fee13c3c8318d8616c2347936

Download Submit
memory/2304-10-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-9-0x0000000001170000-0x000000000149E000-memory.dmp

Filesize
3.2MB

Download
memory/2304-11-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-12-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2404-1-0x0000000001130000-0x000000000145E000-memory.dmp

Filesize
3.2MB

Download
memory/2404-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-8-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads