quasar | 15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683

General

Target

15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
Size

876KB
MD5

05443408f8eadd9434558a7886ca7efb
SHA1

42419402ca59a4eb90e797b5f154cc5b2160dd62
SHA256

15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683
SHA512

6f781a3efa43d10451274c8d22c79e12052185e7cb45652810b2edc60c5a2cc963dd36ba47d87b0b5fa485950dace1306eec280ce1ef3c4f399483c55ac61858
SSDEEP

24576:weKxzRSGSL0v0mMO5PKDRwszHMC8hrAaRKGX:BKxVpSL0AiyDysAC8hrZL

Score

10^/10

quasar aoy discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

AOY

C2

87.120.120.27:61540

127.0.0.1:61540

87.121.86.205:61541

Mutex

QSR_MUTEX_NOCv4TURf46HbVbxyc

Attributes

encryption_key
fVsndNhImy9VosyZSQbQ
install_name
updates.exe
log_directory
Logs
reconnect_delay
4000
startup_key
Windows Update
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1104-6-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1104-10-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/1104-8-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

updates.exeupdates.exe

pid process

2684 updates.exe
2852 updates.exe
Loads dropped DLL 2 IoCs

Processes:

15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exeupdates.exe

pid process

1104 15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
2684 updates.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

pid	process
2684	updates.exe
2852	updates.exe

pid	process
1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
2684	updates.exe

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exeupdates.exe

description	pid	process	target process
PID 2188 set thread context of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2684 set thread context of 2852	2684	updates.exe	updates.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exeupdates.exeupdates.exeschtasks.exe15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2824 schtasks.exe
2116 schtasks.exe

pid	process
2824	schtasks.exe
2116	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exeupdates.exeupdates.exe

description	pid	process
Token: SeDebugPrivilege	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
Token: SeDebugPrivilege	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
Token: SeDebugPrivilege	2684	updates.exe
Token: SeDebugPrivilege	2852	updates.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exeupdates.exeupdates.exe

description	pid	process	target process
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 2188 wrote to memory of 1104	2188	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
PID 1104 wrote to memory of 2824	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	schtasks.exe
PID 1104 wrote to memory of 2824	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	schtasks.exe
PID 1104 wrote to memory of 2824	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	schtasks.exe
PID 1104 wrote to memory of 2824	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	schtasks.exe
PID 1104 wrote to memory of 2684	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	updates.exe
PID 1104 wrote to memory of 2684	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	updates.exe
PID 1104 wrote to memory of 2684	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	updates.exe
PID 1104 wrote to memory of 2684	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	updates.exe
PID 1104 wrote to memory of 2684	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	updates.exe
PID 1104 wrote to memory of 2684	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	updates.exe
PID 1104 wrote to memory of 2684	1104	15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2684 wrote to memory of 2852	2684	updates.exe	updates.exe
PID 2852 wrote to memory of 2116	2852	updates.exe	schtasks.exe
PID 2852 wrote to memory of 2116	2852	updates.exe	schtasks.exe
PID 2852 wrote to memory of 2116	2852	updates.exe	schtasks.exe
PID 2852 wrote to memory of 2116	2852	updates.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
"C:\Users\Admin\AppData\Local\Temp\15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
  C:\Users\Admin\AppData\Local\Temp\15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2824
- - C:\Users\Admin\AppData\Roaming\Windows\updates.exe
    "C:\Users\Admin\AppData\Roaming\Windows\updates.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Roaming\Windows\updates.exe
      C:\Users\Admin\AppData\Roaming\Windows\updates.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\updates.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Windows\updates.exe

Filesize
876KB

MD5
05443408f8eadd9434558a7886ca7efb

SHA1
42419402ca59a4eb90e797b5f154cc5b2160dd62

SHA256
15e972a72e555d7bd756ededbbaa7a0dbb9705c31a73e14efd1128988a69f683

SHA512
6f781a3efa43d10451274c8d22c79e12052185e7cb45652810b2edc60c5a2cc963dd36ba47d87b0b5fa485950dace1306eec280ce1ef3c4f399483c55ac61858

Download Submit
memory/1104-10-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1104-21-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-13-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-12-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1104-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2188-3-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-5-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2188-11-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-4-0x0000000007090000-0x0000000007196000-memory.dmp

Filesize
1.0MB

Download
memory/2188-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2188-2-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2188-1-0x00000000008D0000-0x00000000009B0000-memory.dmp

Filesize
896KB

Download
memory/2684-20-0x0000000000320000-0x0000000000400000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads