quasar | ffd1d3a0e43ff0ba827e83fccc2515392e2d08719338219d200b8a310c5acdb6

General

Target

VaporWaveX2.1/VaporWave2-1.exe
Size

72.5MB
MD5

af85b5d9c237ea75d4a307d5157c847f
SHA1

84ad14e5d89bd85f0ef1bb5f3269c0d6929c6a53
SHA256

3e7fe3f421b50a884cc30ac892a739e895f4243ed554183deebc7415593ee2d2
SHA512

bf2e7414f1e00d69aaf3dab61a938c3051f429b712d8dcccd3f7a7a32226d42dc66477c1fac7cbb67a326dd05b33de7afbc176ce4280405ac69e2e8dcbdabca3
SSDEEP

6144:UI6bPXhLApfpo8CL1g1N1ZflpUwGbeCqgHcFi9vNnoGjlhjl7k4:lmhAp5CL1g1N1ZfXxpi9vhHl1l7k4

Score

10^/10

quasar general1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

general1

C2

servicehos.zapto.org:4444

Mutex

QSR_MUTEX_ksxWAP4ziOqMlreofU

Attributes

encryption_key
i9HUVkY4QNExDOHIMtIX
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2456-1-0x0000000000470000-0x00000000004CE000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid	Process
708	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

chcp.comPING.EXEVaporWave2-1.exeschtasks.exesvchost.exeschtasks.exeschtasks.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VaporWave2-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
3848	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3848	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
4232	schtasks.exe
2712	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

VaporWave2-1.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2456	VaporWave2-1.exe
Token: SeDebugPrivilege	708	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid	Process
708	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

VaporWave2-1.exesvchost.execmd.exe

description	pid	Process	procid_target
PID 2456 wrote to memory of 4232	2456	VaporWave2-1.exe	86
PID 2456 wrote to memory of 4232	2456	VaporWave2-1.exe	86
PID 2456 wrote to memory of 4232	2456	VaporWave2-1.exe	86
PID 2456 wrote to memory of 708	2456	VaporWave2-1.exe	88
PID 2456 wrote to memory of 708	2456	VaporWave2-1.exe	88
PID 2456 wrote to memory of 708	2456	VaporWave2-1.exe	88
PID 708 wrote to memory of 2712	708	svchost.exe	90
PID 708 wrote to memory of 2712	708	svchost.exe	90
PID 708 wrote to memory of 2712	708	svchost.exe	90
PID 708 wrote to memory of 528	708	svchost.exe	95
PID 708 wrote to memory of 528	708	svchost.exe	95
PID 708 wrote to memory of 528	708	svchost.exe	95
PID 708 wrote to memory of 1976	708	svchost.exe	97
PID 708 wrote to memory of 1976	708	svchost.exe	97
PID 708 wrote to memory of 1976	708	svchost.exe	97
PID 1976 wrote to memory of 2140	1976	cmd.exe	99
PID 1976 wrote to memory of 2140	1976	cmd.exe	99
PID 1976 wrote to memory of 2140	1976	cmd.exe	99
PID 1976 wrote to memory of 3848	1976	cmd.exe	100
PID 1976 wrote to memory of 3848	1976	cmd.exe	100
PID 1976 wrote to memory of 3848	1976	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe
"C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4232
- C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /delete /tn "svchost" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NjfD75xl0042.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NjfD75xl0042.bat

Filesize
263B

MD5
7281589139d4c26374729433c05927c9

SHA1
0d69e49efd9747f6a2cdf25bb28c87830d0d612f

SHA256
9208ae9e6015ba3badd1ef2bb72a6f33ffad7e86ea720e086fd21c163b51f230

SHA512
a5f3e9914f4b037c4a7f44ce7a21c4ace0c6f79f2d29562774f250a1d497edea15c8bad9a2b790b9ede249fbe1fa69426255cf4e8391d1d61bc0665bad2513c1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-07-~1

Filesize
224B

MD5
8527246eb723fcf3009175235581db28

SHA1
58af6e6b6ac23a9fae27244f123becc8dc0b6923

SHA256
2d27d0bcf097d3c0c629590f52582511627fdc81ef5d272f73897a97200c3e06

SHA512
68308fe93be7da5e6a35183a143dfc410762014d6d92263cc1e5041f4acfbe214f1204ef03ecf456db494ecd40ef4f0080120fddae06e31a6b077a9c00b862b8

Download Submit
memory/708-10-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/708-23-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/708-14-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/708-13-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/2456-6-0x0000000005BB0000-0x0000000005BC2000-memory.dmp

Filesize
72KB

Download
memory/2456-7-0x0000000006130000-0x000000000616C000-memory.dmp

Filesize
240KB

Download
memory/2456-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2456-11-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/2456-5-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/2456-4-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/2456-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/2456-2-0x00000000054A0000-0x0000000005A46000-memory.dmp

Filesize
5.6MB

Download
memory/2456-1-0x0000000000470000-0x00000000004CE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads