quasar | c64e3396f244d5442a404688df8482d7193dc8fdaec53c55985eedd75b8c38c1

General

Target

Client-built.exe
Size

3.1MB
MD5

f367a45a5d494d19bcc5f62be92573a9
SHA1

869de872df89891e73fc3e7cb697631cc08c11a8
SHA256

c64e3396f244d5442a404688df8482d7193dc8fdaec53c55985eedd75b8c38c1
SHA512

568fda33b842750113f5d8f027adb6f8111a48a6378cd881c09ddcd643061444f811f2724c34f61a98c8d77c71f75c41be06b6b1e223cabc6a52895fe039fd74
SSDEEP

49152:7vUuf2NUaNmwzPWlvdaKM7ZxTw+DtmamzLpoGdIcsTHHB72eh2NT:7vDf2NUaNmwzPWlvdaB7ZxTw+Dtmd

Score

10^/10

quasar testvps discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

TestVPS

C2

57.129.67.71:4782

ByKami-35613.portmap.host:35613

Mutex

d81e25ce-e597-4c30-883b-6512e05b4d3f

Attributes

encryption_key
5F806F6FD612F4EFC8A3C6F274ACEA836FE88EB8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
HeheThatsQuasar
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2912-1-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1220	PING.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1220	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	Client-built.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	Client-built.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2788	2912	Client-built.exe	83
PID 2912 wrote to memory of 2788	2912	Client-built.exe	83
PID 2788 wrote to memory of 2368	2788	cmd.exe	85
PID 2788 wrote to memory of 2368	2788	cmd.exe	85
PID 2788 wrote to memory of 1220	2788	cmd.exe	86
PID 2788 wrote to memory of 1220	2788	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BfPuG4o5YKT8.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2368
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3492

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\686a9b01-64fa-4a26-afbe-883cfdfc665c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfPuG4o5YKT8.bat

Filesize
213B

MD5
c57e6c69963f1344f9ab21efaba2966a

SHA1
758aff6d4f3bc587273420ed58275c977d52e72e

SHA256
a9285f19eb769b58536234495f17edf971b3b027bfe9d52370c39315684ad56c

SHA512
5ca97d08962c38a6a85d64b936674ccb9a108479e1118e17a494d2f6b0b644f81dcd3fe8e3031ed5c4214bca728cdafed1e29a886effd6dbb7bc249f2d9b3a95

Download Submit
memory/2912-8-0x000000001B560000-0x000000001B572000-memory.dmp

Filesize
72KB

Download
memory/2912-3-0x000000001B4B0000-0x000000001B500000-memory.dmp

Filesize
320KB

Download
memory/2912-4-0x000000001B5C0000-0x000000001B672000-memory.dmp

Filesize
712KB

Download
memory/2912-5-0x000000001BDB0000-0x000000001C2D8000-memory.dmp

Filesize
5.2MB

Download
memory/2912-0-0x00007FFDAF5C3000-0x00007FFDAF5C5000-memory.dmp

Filesize
8KB

Download
memory/2912-9-0x000000001BCD0000-0x000000001BD0C000-memory.dmp

Filesize
240KB

Download
memory/2912-10-0x00007FFDAF5C3000-0x00007FFDAF5C5000-memory.dmp

Filesize
8KB

Download
memory/2912-11-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/2912-2-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/2912-1-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/2912-27-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing