quasar | e8156e44befb5335f9c18acdd0d428c3a8fa316546a71fbbbd2c64c08f697a3e

General

Target

RegEdit.exe
Size

3.1MB
MD5

bfacb0c11a720d61c03412d7f68fb8df
SHA1

06c5304b3d6d75734ae3f8f30c9486dd855f0335
SHA256

e8156e44befb5335f9c18acdd0d428c3a8fa316546a71fbbbd2c64c08f697a3e
SHA512

89a8dcf157e7b390f946925273d34c3f6bf2cdef62e2908f96ceb64e4dbd12d5cb353c7b0e2a37ff59187dd33d3c95ab640295c433ff8e4df760baca3a127cda
SSDEEP

49152:uvHI22SsaNYfdPBldt698dBcjHqEFlymzknoGd9UTHHB72eh2NT:uvo22SsaNYfdPBldt6+dBcjHqEFlE

Score

10^/10

quasar dumby bo got ratted lolol discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

dumby bo got ratted LOLOL

C2

p-surplus.gl.at.ply.gg:7938

Mutex

6f229673-e6d0-41b5-a1e4-1cbc29eeffd8

Attributes

encryption_key
84EEFDB37698E582E7732B4568EC490426D1D6DF
install_name
d1aler.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4164-1-0x00000000006F0000-0x0000000000A14000-memory.dmp	family_quasar
behavioral1/files/0x001e00000002aa8d-6.dat	family_quasar

Executes dropped EXE 1 IoCs

Processes:

d1aler.exe

pid	Process
1948	d1aler.exe

Drops file in System32 directory 5 IoCs

Processes:

RegEdit.exed1aler.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\d1aler.exe	RegEdit.exe
File opened for modification	C:\Windows\system32\SubDir	RegEdit.exe
File opened for modification	C:\Windows\system32\SubDir\d1aler.exe	d1aler.exe
File opened for modification	C:\Windows\system32\SubDir	d1aler.exe
File created	C:\Windows\system32\SubDir\d1aler.exe	RegEdit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2432	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d1aler.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	d1aler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d1aler.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2432	PING.EXE

Runs regedit.exe 1 IoCs

Processes:

RegEdit.exe

pid	Process
4164	RegEdit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
3164	schtasks.exe
2400	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegEdit.exed1aler.exe

description	pid	Process
Token: SeDebugPrivilege	4164	RegEdit.exe
Token: SeDebugPrivilege	1948	d1aler.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

d1aler.exe

pid	Process
1948	d1aler.exe
1948	d1aler.exe
1948	d1aler.exe
1948	d1aler.exe
1948	d1aler.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

d1aler.exe

pid	Process
1948	d1aler.exe
1948	d1aler.exe
1948	d1aler.exe
1948	d1aler.exe
1948	d1aler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d1aler.exe

pid	Process
1948	d1aler.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

RegEdit.exed1aler.execmd.exe

description	pid	Process	procid_target
PID 4164 wrote to memory of 3164	4164	RegEdit.exe	80
PID 4164 wrote to memory of 3164	4164	RegEdit.exe	80
PID 4164 wrote to memory of 1948	4164	RegEdit.exe	82
PID 4164 wrote to memory of 1948	4164	RegEdit.exe	82
PID 1948 wrote to memory of 2400	1948	d1aler.exe	83
PID 1948 wrote to memory of 2400	1948	d1aler.exe	83
PID 1948 wrote to memory of 3160	1948	d1aler.exe	86
PID 1948 wrote to memory of 3160	1948	d1aler.exe	86
PID 1948 wrote to memory of 1532	1948	d1aler.exe	88
PID 1948 wrote to memory of 1532	1948	d1aler.exe	88
PID 1532 wrote to memory of 4888	1532	cmd.exe	90
PID 1532 wrote to memory of 4888	1532	cmd.exe	90
PID 1532 wrote to memory of 2432	1532	cmd.exe	91
PID 1532 wrote to memory of 2432	1532	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RegEdit.exe
"C:\Users\Admin\AppData\Local\Temp\RegEdit.exe"
1⤵
- Drops file in System32 directory
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\d1aler.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3164
- C:\Windows\system32\SubDir\d1aler.exe
  "C:\Windows\system32\SubDir\d1aler.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\d1aler.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2400
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "Java updater" /f
    3⤵
    PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r5ZTpomvY2Vh.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4888
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\r5ZTpomvY2Vh.bat

Filesize
200B

MD5
e8c1a8261ab96f1a6487e9bf5f11988f

SHA1
f028ac2ed1d7fbbe6d628436a613e564af854856

SHA256
183af9d2566b2663779923fd5cbb8116f9ef3e4a01eb74c66e460ba641bd867d

SHA512
b8ec75ab9bc84a7075a947202094a4628496381f2049de5db045e420b3cabfde4e4981a36f0f45349ee4eb61be96092f73a00c137a0370f1d357ffb3e1716c57

Download Submit
C:\Windows\System32\SubDir\d1aler.exe

Filesize
3.1MB

MD5
bfacb0c11a720d61c03412d7f68fb8df

SHA1
06c5304b3d6d75734ae3f8f30c9486dd855f0335

SHA256
e8156e44befb5335f9c18acdd0d428c3a8fa316546a71fbbbd2c64c08f697a3e

SHA512
89a8dcf157e7b390f946925273d34c3f6bf2cdef62e2908f96ceb64e4dbd12d5cb353c7b0e2a37ff59187dd33d3c95ab640295c433ff8e4df760baca3a127cda

Download Submit
memory/1948-19-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/1948-16-0x000000001C9F0000-0x000000001CA02000-memory.dmp

Filesize
72KB

Download
memory/1948-27-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/1948-10-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/1948-11-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/1948-12-0x000000001C950000-0x000000001C9A0000-memory.dmp

Filesize
320KB

Download
memory/1948-13-0x000000001CA60000-0x000000001CB12000-memory.dmp

Filesize
712KB

Download
memory/1948-20-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/1948-17-0x000000001D270000-0x000000001D2AC000-memory.dmp

Filesize
240KB

Download
memory/1948-18-0x000000001DAE0000-0x000000001E008000-memory.dmp

Filesize
5.2MB

Download
memory/4164-0-0x00007FFCAE873000-0x00007FFCAE875000-memory.dmp

Filesize
8KB

Download
memory/4164-2-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/4164-9-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/4164-1-0x00000000006F0000-0x0000000000A14000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads