quasar | e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EnigmaSRC..exe
Size

3.3MB
MD5

bf4ca8258fd2f4df510aa046bbf7b21c
SHA1

79fe2a2cd3df7f83a44c33d2a061d588a8238c07
SHA256

e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156
SHA512

aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828
SSDEEP

49152:tvjt62XlaSFNWPjljiFa2RoUYI8qR16AbR30oGdUTHHB72eh2NT:tvx62XlaSFNWPjljiFXRoUYI8qR161

Score

10^/10

quasar enigma.sln discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Enigma.Sln

C:\Users\nigger>:4782

Mutex

79e05c67-893c-4161-b8aa-df3a5e2de8c8

Attributes

encryption_key
180D990AA3B58892A5FBAE1EDF8AAEDB00F4AF8E
install_name
host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Visual Studios
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2548-1-0x0000000000990000-0x0000000000CE0000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b81-7.dat	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

host.exehost.exehost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	host.exe

Executes dropped EXE 3 IoCs

Processes:

host.exehost.exehost.exe

pid	Process
3460	host.exe
4064	host.exe
4848	host.exe

Drops file in System32 directory 9 IoCs

Processes:

EnigmaSRC..exehost.exehost.exehost.exe

description	ioc	Process
File created	C:\Windows\system32\SubDir\host.exe	EnigmaSRC..exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	EnigmaSRC..exe
File opened for modification	C:\Windows\system32\SubDir	EnigmaSRC..exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXE

pid	Process
5048	PING.EXE
4576	PING.EXE
3816	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid	Process
3816	PING.EXE
5048	PING.EXE
4576	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
632	schtasks.exe
3972	schtasks.exe
1784	schtasks.exe
3508	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

EnigmaSRC..exehost.exehost.exehost.exe

description	pid	Process
Token: SeDebugPrivilege	2548	EnigmaSRC..exe
Token: SeDebugPrivilege	3460	host.exe
Token: SeDebugPrivilege	4064	host.exe
Token: SeDebugPrivilege	4848	host.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

host.exehost.exehost.exe

pid	Process
3460	host.exe
4064	host.exe
4848	host.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

host.exehost.exehost.exe

pid	Process
3460	host.exe
4064	host.exe
4848	host.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

EnigmaSRC..exehost.execmd.exehost.execmd.exehost.execmd.exe

description	pid	Process	procid_target
PID 2548 wrote to memory of 1784	2548	EnigmaSRC..exe	82
PID 2548 wrote to memory of 1784	2548	EnigmaSRC..exe	82
PID 2548 wrote to memory of 3460	2548	EnigmaSRC..exe	84
PID 2548 wrote to memory of 3460	2548	EnigmaSRC..exe	84
PID 3460 wrote to memory of 3508	3460	host.exe	85
PID 3460 wrote to memory of 3508	3460	host.exe	85
PID 3460 wrote to memory of 2784	3460	host.exe	87
PID 3460 wrote to memory of 2784	3460	host.exe	87
PID 2784 wrote to memory of 2452	2784	cmd.exe	89
PID 2784 wrote to memory of 2452	2784	cmd.exe	89
PID 2784 wrote to memory of 3816	2784	cmd.exe	90
PID 2784 wrote to memory of 3816	2784	cmd.exe	90
PID 2784 wrote to memory of 4064	2784	cmd.exe	91
PID 2784 wrote to memory of 4064	2784	cmd.exe	91
PID 4064 wrote to memory of 632	4064	host.exe	92
PID 4064 wrote to memory of 632	4064	host.exe	92
PID 4064 wrote to memory of 724	4064	host.exe	96
PID 4064 wrote to memory of 724	4064	host.exe	96
PID 724 wrote to memory of 2348	724	cmd.exe	98
PID 724 wrote to memory of 2348	724	cmd.exe	98
PID 724 wrote to memory of 5048	724	cmd.exe	99
PID 724 wrote to memory of 5048	724	cmd.exe	99
PID 724 wrote to memory of 4848	724	cmd.exe	105
PID 724 wrote to memory of 4848	724	cmd.exe	105
PID 4848 wrote to memory of 3972	4848	host.exe	106
PID 4848 wrote to memory of 3972	4848	host.exe	106
PID 4848 wrote to memory of 2716	4848	host.exe	108
PID 4848 wrote to memory of 2716	4848	host.exe	108
PID 2716 wrote to memory of 1560	2716	cmd.exe	110
PID 2716 wrote to memory of 1560	2716	cmd.exe	110
PID 2716 wrote to memory of 4576	2716	cmd.exe	111
PID 2716 wrote to memory of 4576	2716	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EnigmaSRC..exe
"C:\Users\Admin\AppData\Local\Temp\EnigmaSRC..exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1784
- C:\Windows\system32\SubDir\host.exe
  "C:\Windows\system32\SubDir\host.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\as3xAQJhgtAn.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2452
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3816
  - - C:\Windows\system32\SubDir\host.exe
      "C:\Windows\system32\SubDir\host.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xFV02TbVaxFX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:724
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2348
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5048
      - C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeyeElBn5Gk3.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\host.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\as3xAQJhgtAn.bat

Filesize
194B

MD5
5bbf1da6912821802ffbcdfd4e7f5f0f

SHA1
9738afc36dfe936836f47bd1bedb08e6bf8ae9b4

SHA256
0ebf90c8a231a8bbd8a56d77da0332ce84aa1e290c25d6d8d79cae6f1e959db6

SHA512
09074fe058d383b5ab7f6d0bf1d9dbb5dd2650012592b4853322d53b456b6b4bb19bf514dd6aa0ef9c7e88ab29fd9fdb1250b238690c9b914322db35c16d23da

Download Submit
C:\Users\Admin\AppData\Local\Temp\oeyeElBn5Gk3.bat

Filesize
194B

MD5
3916d2981954c6aa348093ec66a0f583

SHA1
ac938adce5e88d691e170060872085d67df9c9ae

SHA256
90b60b092a250b6a11b34c213c6b7c39125228130d91ebce2a8065176bddd451

SHA512
408968907dea3e0fecd98d73c093b6cf443ba5755bbf7a5d94af50bdd1b9f54c95677132b86a94b65e0ed5516c1ac927c7fd1b4ff363cebc4e4a329d6625b201

Download Submit
C:\Users\Admin\AppData\Local\Temp\xFV02TbVaxFX.bat

Filesize
194B

MD5
bff2b1bab725fcf96d21ed14cfbaf9ad

SHA1
91bba4e979936be14645af3f94b427f2c419391d

SHA256
e83c0b8e2eea12f0ee6e59e96f932728aab70f5c830c4cb6a725afaadbd94e5b

SHA512
e1756c0357200e9605226e229074ebaf410ae2be0c153b6a9a646c15fb0a07a2ca65d67f2d836a7039c6008a210b34e8c0bcec399d0446382b7328010ec34fe3

Download Submit
C:\Windows\system32\SubDir\host.exe

Filesize
3.3MB

MD5
bf4ca8258fd2f4df510aa046bbf7b21c

SHA1
79fe2a2cd3df7f83a44c33d2a061d588a8238c07

SHA256
e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

SHA512
aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828

Download Submit
memory/2548-1-0x0000000000990000-0x0000000000CE0000-memory.dmp

Filesize
3.3MB

Download
memory/2548-2-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/2548-10-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/2548-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/3460-11-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/3460-18-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/3460-13-0x000000001D7C0000-0x000000001D872000-memory.dmp

Filesize
712KB

Download
memory/3460-12-0x000000001B6B0000-0x000000001B700000-memory.dmp

Filesize
320KB

Download
memory/3460-9-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download