quasar | ffd1d3a0e43ff0ba827e83fccc2515392e2d08719338219d200b8a310c5acdb6

General

Target

VaporWaveX2.1/VaporWave2-1.exe
Size

72.5MB
MD5

af85b5d9c237ea75d4a307d5157c847f
SHA1

84ad14e5d89bd85f0ef1bb5f3269c0d6929c6a53
SHA256

3e7fe3f421b50a884cc30ac892a739e895f4243ed554183deebc7415593ee2d2
SHA512

bf2e7414f1e00d69aaf3dab61a938c3051f429b712d8dcccd3f7a7a32226d42dc66477c1fac7cbb67a326dd05b33de7afbc176ce4280405ac69e2e8dcbdabca3
SSDEEP

6144:UI6bPXhLApfpo8CL1g1N1ZflpUwGbeCqgHcFi9vNnoGjlhjl7k4:lmhAp5CL1g1N1ZfXxpi9vhHl1l7k4

Score

10^/10

quasar general1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

general1

C2

servicehos.zapto.org:4444

Mutex

QSR_MUTEX_ksxWAP4ziOqMlreofU

Attributes

encryption_key
i9HUVkY4QNExDOHIMtIX
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4524-1-0x0000000000FF0000-0x000000000104E000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4016	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VaporWave2-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2504	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2504	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3448	schtasks.exe
2176	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	VaporWave2-1.exe
Token: SeDebugPrivilege	4016	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4016	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 3448	4524	VaporWave2-1.exe	82
PID 4524 wrote to memory of 3448	4524	VaporWave2-1.exe	82
PID 4524 wrote to memory of 3448	4524	VaporWave2-1.exe	82
PID 4524 wrote to memory of 4016	4524	VaporWave2-1.exe	84
PID 4524 wrote to memory of 4016	4524	VaporWave2-1.exe	84
PID 4524 wrote to memory of 4016	4524	VaporWave2-1.exe	84
PID 4016 wrote to memory of 2176	4016	svchost.exe	85
PID 4016 wrote to memory of 2176	4016	svchost.exe	85
PID 4016 wrote to memory of 2176	4016	svchost.exe	85
PID 4016 wrote to memory of 1632	4016	svchost.exe	87
PID 4016 wrote to memory of 1632	4016	svchost.exe	87
PID 4016 wrote to memory of 1632	4016	svchost.exe	87
PID 4016 wrote to memory of 1608	4016	svchost.exe	89
PID 4016 wrote to memory of 1608	4016	svchost.exe	89
PID 4016 wrote to memory of 1608	4016	svchost.exe	89
PID 1608 wrote to memory of 2704	1608	cmd.exe	91
PID 1608 wrote to memory of 2704	1608	cmd.exe	91
PID 1608 wrote to memory of 2704	1608	cmd.exe	91
PID 1608 wrote to memory of 2504	1608	cmd.exe	92
PID 1608 wrote to memory of 2504	1608	cmd.exe	92
PID 1608 wrote to memory of 2504	1608	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe
"C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1\VaporWave2-1.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3448
- C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2176
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /delete /tn "svchost" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKiUilM1QP6o.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sKiUilM1QP6o.bat

Filesize
263B

MD5
fab6b0f5ffeb9ed4add90591c8fb048c

SHA1
327f6a1d66d6d351debad9ec406da301d20a7719

SHA256
d29d9408553ac76b4dd7f7c9cde11d184ff4b70c84a89a325de4f80cddaae2f3

SHA512
56bfde04075882a437e4274509372577d19da18a42c8cd25ea5655fbd18706dd36c17d4b0ab6dbc64b76ee0b3934d7c68783786189e5a5a1c0ced0d1c2a9dcec

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-07-~1

Filesize
224B

MD5
0be98a649cbf41d7de6ae57b1a86dbc7

SHA1
296833cc07c29643762eceb5fde50239e7113c23

SHA256
0e1bb70554cf6092ce4b9daff030237a8a180f0574e2f831c699e39cb735f7c5

SHA512
eaaaf536c494400788340e2417bbdb7bc647916833a237b19d663a22c1c1964c36efda851ee0bab2331b635371a741f6d27bb9823984d33e2a285064a9634862

Download Submit
memory/4016-14-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4016-24-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4016-18-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4016-17-0x0000000007780000-0x000000000778A000-memory.dmp

Filesize
40KB

Download
memory/4524-3-0x0000000005AB0000-0x0000000005B42000-memory.dmp

Filesize
584KB

Download
memory/4524-7-0x0000000006D80000-0x0000000006DBC000-memory.dmp

Filesize
240KB

Download
memory/4524-15-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4524-6-0x0000000005F80000-0x0000000005F92000-memory.dmp

Filesize
72KB

Download
memory/4524-5-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/4524-4-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4524-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/4524-2-0x0000000005FC0000-0x0000000006566000-memory.dmp

Filesize
5.6MB

Download
memory/4524-1-0x0000000000FF0000-0x000000000104E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads