quasar | 435a89b57a238ca9ac57a93519017010d9cb1ced152cb4a51defd9b429314021

General

Target

Nemoxen.exe
Size

676KB
MD5

0af0a6cf3d6aa2d46cddbe43bc543e3c
SHA1

b6626edb5a410a7e8fb054d77e9ae77e0bbb92ce
SHA256

435a89b57a238ca9ac57a93519017010d9cb1ced152cb4a51defd9b429314021
SHA512

37c860181269f4233cd3ecdb77b77ec336fb95f5e6c845f8a09c1c126bda3fa06806f69d095fa837642597ac672cb6b8dd113ffac319601cf345248d89b859c3
SSDEEP

12288:zTEgdfYwbgf9Ip94Iyw4XpRJj0YDlRcdN+8:MUwzyRyw4XpRh0Qcdo8

Score

10^/10

quasar neoxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Neoxen

C2

192.168.0.42:4782

192.168.56.1:4782

Mutex

5e5c2635-6e73-4945-84d1-6fff2a604503

Attributes

encryption_key
4D634613C08A5953B861CE48D768ABEFCD1484A3
install_name
coolpro12.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Neoxen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3124-1-0x0000000000350000-0x0000000000400000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002aafb-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1984	coolpro12.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4348	schtasks.exe
1700	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	Nemoxen.exe
Token: SeDebugPrivilege	1984	coolpro12.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	coolpro12.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1984	coolpro12.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4348	3124	Nemoxen.exe	79
PID 3124 wrote to memory of 4348	3124	Nemoxen.exe	79
PID 3124 wrote to memory of 1984	3124	Nemoxen.exe	81
PID 3124 wrote to memory of 1984	3124	Nemoxen.exe	81
PID 1984 wrote to memory of 1700	1984	coolpro12.exe	82
PID 1984 wrote to memory of 1700	1984	coolpro12.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nemoxen.exe
"C:\Users\Admin\AppData\Local\Temp\Nemoxen.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Nemoxen.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4348
- C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1700

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe

Filesize
676KB

MD5
0af0a6cf3d6aa2d46cddbe43bc543e3c

SHA1
b6626edb5a410a7e8fb054d77e9ae77e0bbb92ce

SHA256
435a89b57a238ca9ac57a93519017010d9cb1ced152cb4a51defd9b429314021

SHA512
37c860181269f4233cd3ecdb77b77ec336fb95f5e6c845f8a09c1c126bda3fa06806f69d095fa837642597ac672cb6b8dd113ffac319601cf345248d89b859c3

Download Submit
memory/1984-9-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/1984-10-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/1984-11-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/1984-12-0x000000001B920000-0x000000001B9D2000-memory.dmp

Filesize
712KB

Download
memory/1984-13-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/3124-1-0x0000000000350000-0x0000000000400000-memory.dmp

Filesize
704KB

Download
memory/3124-0-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp

Filesize
8KB

Download
memory/3124-2-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download
memory/3124-8-0x00007FF9F68C0000-0x00007FF9F7382000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads