quasar | a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe
Size

1.1MB
MD5

367bbab6aba76421003746f805a24c90
SHA1

bd9661a5b2dd0f74c561448979b302bc864d89b4
SHA256

a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5
SHA512

ab37bff13e60a0ef9eac6e3bd67dbd11fec8206bf30c944cd8594d7f7986402b2ca35678adec1010a37e3c0f086e234f57c48c627e4b95117eef7d919e40d9dc
SSDEEP

24576:9zZKZ6kSKsCiYqKg3ADrO2paC5fgV2kx9h6ujUh/ivuWIWI:9E63KsCbgm9paCyVi4q

Score

10^/10

quasar __6__discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

__6__

64.52.80.186:3978

Mutex

ulOlko6PwDtcon56WvJZSFPEGU5NfnDPI9Bag8WGNvXDkhbNG4aj8Z

Attributes

encryption_key
Pj9FPvaD3lwN1r1o4n87
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1332-39-0x0000000000090000-0x00000000000DE000-memory.dmp	family_quasar
behavioral1/memory/1332-41-0x0000000000090000-0x00000000000DE000-memory.dmp	family_quasar
behavioral1/memory/1332-42-0x0000000000090000-0x00000000000DE000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2752 created 1204	2752	Fall.pif	21
PID 2752 created 1204	2752	Fall.pif	21

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RapidServe.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RapidServe.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	Fall.pif
1332	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2332	cmd.exe
2752	Fall.pif
1332	RegAsm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2720	tasklist.exe
844	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fall.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	1332	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2752	Fall.pif
2752	Fall.pif
2752	Fall.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1332	RegAsm.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2332	3052	a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe	30
PID 3052 wrote to memory of 2332	3052	a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe	30
PID 3052 wrote to memory of 2332	3052	a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe	30
PID 3052 wrote to memory of 2332	3052	a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe	30
PID 2332 wrote to memory of 844	2332	cmd.exe	32
PID 2332 wrote to memory of 844	2332	cmd.exe	32
PID 2332 wrote to memory of 844	2332	cmd.exe	32
PID 2332 wrote to memory of 844	2332	cmd.exe	32
PID 2332 wrote to memory of 1900	2332	cmd.exe	33
PID 2332 wrote to memory of 1900	2332	cmd.exe	33
PID 2332 wrote to memory of 1900	2332	cmd.exe	33
PID 2332 wrote to memory of 1900	2332	cmd.exe	33
PID 2332 wrote to memory of 2720	2332	cmd.exe	35
PID 2332 wrote to memory of 2720	2332	cmd.exe	35
PID 2332 wrote to memory of 2720	2332	cmd.exe	35
PID 2332 wrote to memory of 2720	2332	cmd.exe	35
PID 2332 wrote to memory of 2460	2332	cmd.exe	36
PID 2332 wrote to memory of 2460	2332	cmd.exe	36
PID 2332 wrote to memory of 2460	2332	cmd.exe	36
PID 2332 wrote to memory of 2460	2332	cmd.exe	36
PID 2332 wrote to memory of 2768	2332	cmd.exe	37
PID 2332 wrote to memory of 2768	2332	cmd.exe	37
PID 2332 wrote to memory of 2768	2332	cmd.exe	37
PID 2332 wrote to memory of 2768	2332	cmd.exe	37
PID 2332 wrote to memory of 2776	2332	cmd.exe	38
PID 2332 wrote to memory of 2776	2332	cmd.exe	38
PID 2332 wrote to memory of 2776	2332	cmd.exe	38
PID 2332 wrote to memory of 2776	2332	cmd.exe	38
PID 2332 wrote to memory of 2852	2332	cmd.exe	39
PID 2332 wrote to memory of 2852	2332	cmd.exe	39
PID 2332 wrote to memory of 2852	2332	cmd.exe	39
PID 2332 wrote to memory of 2852	2332	cmd.exe	39
PID 2332 wrote to memory of 2752	2332	cmd.exe	40
PID 2332 wrote to memory of 2752	2332	cmd.exe	40
PID 2332 wrote to memory of 2752	2332	cmd.exe	40
PID 2332 wrote to memory of 2752	2332	cmd.exe	40
PID 2332 wrote to memory of 2888	2332	cmd.exe	41
PID 2332 wrote to memory of 2888	2332	cmd.exe	41
PID 2332 wrote to memory of 2888	2332	cmd.exe	41
PID 2332 wrote to memory of 2888	2332	cmd.exe	41
PID 2752 wrote to memory of 2808	2752	Fall.pif	42
PID 2752 wrote to memory of 2808	2752	Fall.pif	42
PID 2752 wrote to memory of 2808	2752	Fall.pif	42
PID 2752 wrote to memory of 2808	2752	Fall.pif	42
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45
PID 2752 wrote to memory of 1332	2752	Fall.pif	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe
  "C:\Users\Admin\AppData\Local\Temp\a5fa5d614116a0fe39b35350d908a55d509b6fd1653d67bc5038df3a9c1016d5N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Clerk Clerk.cmd & Clerk.cmd & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1900
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 632539
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "DOZENSSEEMEDSPONSOREDMODIFY" Alike
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Criticism + ..\Barbie + ..\Cialis + ..\Stored + ..\Blame + ..\Crude + ..\Hours e
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\632539\Fall.pif
      Fall.pif e
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2752
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RapidServe.url" & echo URL="C:\Users\Admin\AppData\Local\ServerRapid Technologies Inc\RapidServe.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RapidServe.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\632539\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\632539\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\632539\e

Filesize
580KB

MD5
a515efc67b073bb4077e063f4e61d00d

SHA1
f2e06a0a8f891fef094c59511494e80b720d71ec

SHA256
c68570b917c0241fc4c172c3d43534227a724313921f33ca365397185e7c266d

SHA512
4275244d45ec3b825d950acb1a8d104d71868144ceddb9ba8b1bba1723a9a0e44089f8339c42ba5b58a9f642220206194dd3f610824c35f600b7c7941c7d20f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alike

Filesize
833B

MD5
707b7ba79668a1c4e8800796bef4cadb

SHA1
1c283619ffba7cab985e8d27a17af6279c425d70

SHA256
000c354905767d9eb83faf95261fc518d5d5b79c9bb250f3adda7ee28a7aba47

SHA512
682025289293bbb868590bfb99d858bc09dd973a0108d2f5c82205b8a81dc7b0271bb4c6cfc12c40a3975ba89e6cddad7747b8cdb236b9c954f6dd3b232aa9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bang

Filesize
871KB

MD5
b129b4a1c198f0b0096be9448fbdae43

SHA1
650575ed72b2817d51a79fcc0f540855d817570f

SHA256
9e15e37e892109981b34a224681934979475ac1086261a1cfcbf7fb01267936c

SHA512
a1cc9da2c8dd7a7b2b892b2f86fc336913d2a2ba347a112e430fb026077393bc2ff8dec12718a9d28a0ad6609e64904abb976cce4fbcdd2490394092a2364258

Download Submit
C:\Users\Admin\AppData\Local\Temp\Barbie

Filesize
85KB

MD5
a77fba5fdbd8cf1eb6773204f56419a5

SHA1
82ddf59d83eae279811739ff752fba53708c848b

SHA256
a681eacfbb9891f034f7b9f03b33c37b3d2a6502683ac7ba7a55d3e3af5ef726

SHA512
e1283f11832bc9df2b2aeac2ad54ab7792753f55985b0b263947aa08d12e7656930d165b5396cd704d74f506b2f45f249bd67cfe40c7ddecc3aae39539d6720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blame

Filesize
82KB

MD5
c720f9216b9fab1cd33718fb774bfa38

SHA1
f8cb2c1d378d4f3863a6f45098eda52e81fcaa90

SHA256
f288636a59cfcbcf5cc123ddd13550b6b4ce013907acff5cd5006ba5d1425448

SHA512
a4e29fec658b0cb3f8a5e683edfa2b810e7af4516f29389e46e1e2a0c56277a926f44d2d65b12edf8d254d76a15902339965d25b6469e3d981b7ac5075dd4ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cialis

Filesize
95KB

MD5
68d85681ebcb3cf8a27cbbe7c75fa18d

SHA1
449c22eaad4b03dc20b537cad72aa7683c8072a6

SHA256
84e8a19b90d7675ffad2a64b10b776bbb530d5da2a2c956ff293f32a78560389

SHA512
d141196e4dea362bd8c2f184d7ea74ef683fee9a724e6ec157c6c41b19724e5e769edc55d17d50cb1c316d87cb129d1787557b2e774ca79dcc7ce87b2cc165e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clerk

Filesize
22KB

MD5
298a47d7adb65bef704645497f45cadd

SHA1
12fab0086429f08ca3a518d3a5970880b8b8a4d7

SHA256
f3601e68062b15522b6e5f9080988d3100a2994328821bbb3282735b419493b0

SHA512
60e97793bb04136a9f97748aff59cd28ac5e190d2adf6915a1c9ba99e7968746fe7ad8b8e7b0b06eaa7aa39690fc3e04aa322129f0066db04ffd3abc1498f8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Criticism

Filesize
92KB

MD5
5d20443eb0e575580dc7af0f13be8661

SHA1
0f075c4b1b43dcad61ee2d47ccfaa1a2a32c24f7

SHA256
b337725e291ee1e1ac49ecc18d9684e1c424486c0c0a1c6f978dcf9a7649e2ea

SHA512
98f409ad39597417b63f36543a3314942560c59f22a37d75fd0b4eaa2539f5159a03f5078d5fc6a6fc6931adb728e93e0de24d6194c98e4cdf0e77a52c04e8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crude

Filesize
80KB

MD5
3d6f7020891a6ab71211073a6a77671c

SHA1
f6aceef46b4bd56fe5ad45278205e22452b4571a

SHA256
1967d74c34af212f9903e6801e42464c0a9ed261d43c3d0a9c26a90c312f4083

SHA512
50fb3cfa1c7eae6078fa9305dc0698bd047fbae004dfe6043c465ab0594fd238b1eeed17e06fe8d7f54a2c5e068593c64829aa2fdcd71ec142bc980fa31dafab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hours

Filesize
80KB

MD5
85f5d59b3ac0f1d981ec38aeda00719f

SHA1
b80e548e374c0273876968f851ceeec72e5ebdfc

SHA256
7ca91f1868e8db54499880bc952c36450df7b4760037e3f0f8bd7b9a0b7f7d62

SHA512
88962b28b06381d68cf798078d1a883c33fd5b514364673bd0d5616fe3efa787c4be6d48ca871ed1ec41a84fd9560b5b4b54d3ca7bbc064df80897f6fce1c892

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stored

Filesize
66KB

MD5
ae5a79fe841b443eff1cc7ef7b73d849

SHA1
5aad96f1b8b8774518ee4618b9d49714a6d24f0e

SHA256
1f3be880e90d916f5705f9174674b758486fa13df567101257513a2aa6a16684

SHA512
80935e69d9698743fc7ed13c60db1078ff93a35ac6222cc3ec5f19a9cb0f8a4b3d2429d56298f81b13e89b8910217d4a7056a42421d04d9c2db89b2123512a60

Download Submit
\Users\Admin\AppData\Local\Temp\632539\Fall.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\632539\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1332-39-0x0000000000090000-0x00000000000DE000-memory.dmp

Filesize
312KB

Download
memory/1332-41-0x0000000000090000-0x00000000000DE000-memory.dmp

Filesize
312KB

Download
memory/1332-42-0x0000000000090000-0x00000000000DE000-memory.dmp

Filesize
312KB

Download