quasar | fe3a99da0e96c690ea206dd08b6deb4bb53acd214118f59229e37d00aa0d5b73

Analysis

max time kernel
1794s
max time network
1798s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

das.exe
Size

3.2MB
MD5

fc9dc72efa9a2558f092277889483177
SHA1

ae8629a0c0f52c3e6d2aaafc5b2e1f1bbd477747
SHA256

fe3a99da0e96c690ea206dd08b6deb4bb53acd214118f59229e37d00aa0d5b73
SHA512

4329fc1e1b6c556f628c9f3bdcab2e34ebe5a4fade9dcac59010581389613af19e1f8afffaeb495d952dc67dc591ae5c270c79ceafe6ec8e0f4b5b97f31df255
SSDEEP

49152:dTM2IVKyc1Egr0NBwq2dpOyMN5zAI24A8cSSa9+VYt2S6SMrM0LJxIuXwsL:dTcVKyc300q2dpVMH7HBcKmbJWuXwsL

Score

10^/10

quasar xworm dumby bo got ratted lolol defense_evasion discovery persistence rat spyware trojan

Malware Config

Extracted

Family

xworm

important-machines.gl.at.ply.gg:7974

Attributes

Install_directory
%Public%
install_file
USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

dumby bo got ratted LOLOL

p-surplus.gl.at.ply.gg:7938

Mutex

6f229673-e6d0-41b5-a1e4-1cbc29eeffd8

Attributes

encryption_key
84EEFDB37698E582E7732B4568EC490426D1D6DF
install_name
d1aler.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java updater
subdirectory
SubDir

Signatures

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a0000000120d5-4.dat	family_xworm
behavioral1/memory/1936-14-0x0000000000E40000-0x0000000000E5A000-memory.dmp	family_xworm
behavioral1/memory/604-28-0x00000000008A0000-0x00000000008BA000-memory.dmp	family_xworm
behavioral1/memory/1044-33-0x0000000000CB0000-0x0000000000CCA000-memory.dmp	family_xworm
behavioral1/memory/1612-35-0x0000000000200000-0x000000000021A000-memory.dmp	family_xworm
behavioral1/memory/2876-38-0x0000000000BC0000-0x0000000000BDA000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00070000000195c2-8.dat	family_quasar
behavioral1/memory/2816-15-0x0000000000860000-0x0000000000B84000-memory.dmp	family_quasar
behavioral1/memory/2896-21-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 3 IoCs

Processes:

RegEditadsdas.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegEdit.lnk	RegEdit
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegEdit.lnk	adsdas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegEdit.lnk	adsdas.exe

Executes dropped EXE 7 IoCs

Processes:

adsdas.exeRegEdit.exed1aler.exeRegEditRegEditRegEditRegEdit

pid	Process
1936	adsdas.exe
2816	RegEdit.exe
2896	d1aler.exe
604	RegEdit
1044	RegEdit
1612	RegEdit
2876	RegEdit

Loads dropped DLL 2 IoCs

Processes:

das.exe

pid	Process
3036	das.exe
3036	das.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegEditadsdas.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit = "C:\\Users\\Public\\RegEdit"	RegEdit
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit = "C:\\Users\\Public\\RegEdit"	adsdas.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com
57	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 5 IoCs

Processes:

RegEdit.exed1aler.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\d1aler.exe	RegEdit.exe
File opened for modification	C:\Windows\system32\SubDir	RegEdit.exe
File opened for modification	C:\Windows\system32\SubDir\d1aler.exe	d1aler.exe
File opened for modification	C:\Windows\system32\SubDir	d1aler.exe
File created	C:\Windows\system32\SubDir\d1aler.exe	RegEdit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

das.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	das.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Runs regedit.exe 1 IoCs

Processes:

RegEdit.exe

pid	Process
2816	RegEdit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2636	schtasks.exe
1732	schtasks.exe
1500	schtasks.exe
1848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeadsdas.exeRegEdit

pid	Process
2360	powershell.exe
1936	adsdas.exe
2876	RegEdit

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exeadsdas.exeRegEdit.exed1aler.exeRegEditRegEditRegEditRegEdit

description	pid	Process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1936	adsdas.exe
Token: SeDebugPrivilege	2816	RegEdit.exe
Token: SeDebugPrivilege	2896	d1aler.exe
Token: SeDebugPrivilege	1936	adsdas.exe
Token: SeDebugPrivilege	604	RegEdit
Token: SeDebugPrivilege	1044	RegEdit
Token: SeDebugPrivilege	1612	RegEdit
Token: SeDebugPrivilege	2876	RegEdit
Token: SeDebugPrivilege	2876	RegEdit

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d1aler.exe

pid	Process
2896	d1aler.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

d1aler.exe

pid	Process
2896	d1aler.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d1aler.exeadsdas.exeRegEdit

pid	Process
2896	d1aler.exe
1936	adsdas.exe
2876	RegEdit

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

das.exeRegEdit.exed1aler.exeadsdas.exetaskeng.exeRegEdit

description	pid	Process	procid_target
PID 3036 wrote to memory of 2360	3036	das.exe	30
PID 3036 wrote to memory of 2360	3036	das.exe	30
PID 3036 wrote to memory of 2360	3036	das.exe	30
PID 3036 wrote to memory of 2360	3036	das.exe	30
PID 3036 wrote to memory of 1936	3036	das.exe	32
PID 3036 wrote to memory of 1936	3036	das.exe	32
PID 3036 wrote to memory of 1936	3036	das.exe	32
PID 3036 wrote to memory of 1936	3036	das.exe	32
PID 3036 wrote to memory of 2816	3036	das.exe	33
PID 3036 wrote to memory of 2816	3036	das.exe	33
PID 3036 wrote to memory of 2816	3036	das.exe	33
PID 3036 wrote to memory of 2816	3036	das.exe	33
PID 2816 wrote to memory of 2636	2816	RegEdit.exe	34
PID 2816 wrote to memory of 2636	2816	RegEdit.exe	34
PID 2816 wrote to memory of 2636	2816	RegEdit.exe	34
PID 2816 wrote to memory of 2896	2816	RegEdit.exe	36
PID 2816 wrote to memory of 2896	2816	RegEdit.exe	36
PID 2816 wrote to memory of 2896	2816	RegEdit.exe	36
PID 2896 wrote to memory of 1732	2896	d1aler.exe	37
PID 2896 wrote to memory of 1732	2896	d1aler.exe	37
PID 2896 wrote to memory of 1732	2896	d1aler.exe	37
PID 1936 wrote to memory of 1500	1936	adsdas.exe	40
PID 1936 wrote to memory of 1500	1936	adsdas.exe	40
PID 1936 wrote to memory of 1500	1936	adsdas.exe	40
PID 2968 wrote to memory of 604	2968	taskeng.exe	44
PID 2968 wrote to memory of 604	2968	taskeng.exe	44
PID 2968 wrote to memory of 604	2968	taskeng.exe	44
PID 2968 wrote to memory of 1044	2968	taskeng.exe	45
PID 2968 wrote to memory of 1044	2968	taskeng.exe	45
PID 2968 wrote to memory of 1044	2968	taskeng.exe	45
PID 2968 wrote to memory of 1612	2968	taskeng.exe	46
PID 2968 wrote to memory of 1612	2968	taskeng.exe	46
PID 2968 wrote to memory of 1612	2968	taskeng.exe	46
PID 2968 wrote to memory of 2876	2968	taskeng.exe	47
PID 2968 wrote to memory of 2876	2968	taskeng.exe	47
PID 2968 wrote to memory of 2876	2968	taskeng.exe	47
PID 2876 wrote to memory of 1848	2876	RegEdit	49
PID 2876 wrote to memory of 1848	2876	RegEdit	49
PID 2876 wrote to memory of 1848	2876	RegEdit	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\das.exe
"C:\Users\Admin\AppData\Local\Temp\das.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AaABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAZQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAbABzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAcwBwACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\adsdas.exe
  "C:\Users\Admin\AppData\Local\Temp\adsdas.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegEdit" /tr "C:\Users\Public\RegEdit"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\RegEdit.exe
  "C:\Users\Admin\AppData\Local\Temp\RegEdit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\d1aler.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2636
- - C:\Windows\system32\SubDir\d1aler.exe
    "C:\Windows\system32\SubDir\d1aler.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\d1aler.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1732

C:\Windows\system32\taskeng.exe
taskeng.exe {63E8D451-A4CC-4B40-B06A-E973302BF1B2} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Public\RegEdit
  C:\Users\Public\RegEdit
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Users\Public\RegEdit
  C:\Users\Public\RegEdit
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Users\Public\RegEdit
  C:\Users\Public\RegEdit
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Users\Public\RegEdit
  C:\Users\Public\RegEdit
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegEdit" /tr "C:\Users\Public\RegEdit"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adsdas.exe

Filesize
76KB

MD5
614861a9ba2fcb5116a7882fac727556

SHA1
93421896f28e1b879ef4bed5803e1492b1e0c657

SHA256
5adf655e3c1cd454ea3575c60ccddfe9c7cbe4b67c2eacbca3987e06cef595ac

SHA512
41abb5fbb09109e9947713d8559f5d61e4e1f1037b5d26fe929ae69ce6f9bdb86dc278b5f37bd56f1a75a33b144fcd834e836f73ea2ecab96aeab632a82845e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegEdit.lnk

Filesize
895B

MD5
32863e35cd203d77baa7a00369d89704

SHA1
9854537a7804b021b413f1508ceaa12ee60a742c

SHA256
2247597cdfb82c18f7520f6379d53548d41c51db81b94d0072a2742e7289e532

SHA512
4d022279a53f86632b8f5a395d21f35b13fbd1606f12091076239d5d185ca1a10e20b26ea5ef6e5f6949d4e9f15625ef81037ad426480a10a533ce7d3d7d0901

Download Submit
\Users\Admin\AppData\Local\Temp\RegEdit.exe

Filesize
3.1MB

MD5
bfacb0c11a720d61c03412d7f68fb8df

SHA1
06c5304b3d6d75734ae3f8f30c9486dd855f0335

SHA256
e8156e44befb5335f9c18acdd0d428c3a8fa316546a71fbbbd2c64c08f697a3e

SHA512
89a8dcf157e7b390f946925273d34c3f6bf2cdef62e2908f96ceb64e4dbd12d5cb353c7b0e2a37ff59187dd33d3c95ab640295c433ff8e4df760baca3a127cda

Download Submit
memory/604-28-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/1044-33-0x0000000000CB0000-0x0000000000CCA000-memory.dmp

Filesize
104KB

Download
memory/1612-35-0x0000000000200000-0x000000000021A000-memory.dmp

Filesize
104KB

Download
memory/1936-14-0x0000000000E40000-0x0000000000E5A000-memory.dmp

Filesize
104KB

Download
memory/2816-15-0x0000000000860000-0x0000000000B84000-memory.dmp

Filesize
3.1MB

Download
memory/2876-38-0x0000000000BC0000-0x0000000000BDA000-memory.dmp

Filesize
104KB

Download
memory/2896-21-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download