quasar | 6c8c37a36abed711c096496eb53002120dec75d7784d90f3360ca48d454431dc

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PATCHER [made by @jd].exe
Size

2.1MB
MD5

30820e492faa5109df2c39bb7fc61d8c
SHA1

01c4eb3c0d90e957bd5f20db51694c7dbe39614e
SHA256

6c8c37a36abed711c096496eb53002120dec75d7784d90f3360ca48d454431dc
SHA512

0d9d5177231011081da3e355c4030c9073371b0d956f2145ead7aa3605ef590dfcd88c154b68c0586b9dab38dabe5286e3d2018e85c38faade3fc4c6309659c7
SSDEEP

49152:kDjlabwz9kAxS1tXXWuXm6oi4PP5iU1rZw5bRTtRQD7M8NSXUiWyZ6QR:0qwLOPXjoieP5iU1VwfJR4NfiWyZ64

Score

10^/10

quasar nezur discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NEZUR

107.136.27.33:10233

Mutex

fff2c6c9-4135-4292-8ffe-7f7aa8dcb732

Attributes

encryption_key
2D1DA0043928941E360CA9DDD7F6E55E0EF46EF7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Steam
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4cf-68.dat	family_quasar
behavioral1/memory/808-72-0x0000000000A60000-0x0000000000D84000-memory.dmp	family_quasar
behavioral1/memory/1320-78-0x0000000000B80000-0x0000000000EA4000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3028	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2792	loader.exe
808	installer.exe
1320	Client.exe

Loads dropped DLL 11 IoCs

pid	Process
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe
2792	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2480	schtasks.exe
1820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3028	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	808	installer.exe
Token: SeDebugPrivilege	1320	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1320	Client.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2792	2620	PATCHER [made by @jd].exe	31
PID 2620 wrote to memory of 2792	2620	PATCHER [made by @jd].exe	31
PID 2620 wrote to memory of 2792	2620	PATCHER [made by @jd].exe	31
PID 2620 wrote to memory of 2792	2620	PATCHER [made by @jd].exe	31
PID 2792 wrote to memory of 3028	2792	loader.exe	33
PID 2792 wrote to memory of 3028	2792	loader.exe	33
PID 2792 wrote to memory of 3028	2792	loader.exe	33
PID 2792 wrote to memory of 3028	2792	loader.exe	33
PID 2792 wrote to memory of 808	2792	loader.exe	35
PID 2792 wrote to memory of 808	2792	loader.exe	35
PID 2792 wrote to memory of 808	2792	loader.exe	35
PID 2792 wrote to memory of 808	2792	loader.exe	35
PID 808 wrote to memory of 2480	808	installer.exe	36
PID 808 wrote to memory of 2480	808	installer.exe	36
PID 808 wrote to memory of 2480	808	installer.exe	36
PID 808 wrote to memory of 1320	808	installer.exe	38
PID 808 wrote to memory of 1320	808	installer.exe	38
PID 808 wrote to memory of 1320	808	installer.exe	38
PID 1320 wrote to memory of 1820	1320	Client.exe	39
PID 1320 wrote to memory of 1820	1320	Client.exe	39
PID 1320 wrote to memory of 1820	1320	Client.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PATCHER [made by @jd].exe
"C:\Users\Admin\AppData\Local\Temp\PATCHER [made by @jd].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c Add-MpPreference -ExclusionPath 'C:\Users'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2480
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SharpCompress.dll

Filesize
577KB

MD5
6487b26639165817e722cbf5fbe9ad45

SHA1
3ec649bc6cfed24d13671ce573e492ddd1b0a3b5

SHA256
72ed7e48ce1c2551321fd88d7ab24e1bdd641c3dab187eb050bbee4e61dacb84

SHA512
191a9bfc32240cf08eb97aa8bfd81e8fe50cd2d40c9bcd2d17013f5b4c19ee01faa8bd4df3ec963bdb5c314dfc7730856c127c17e9943931bc09dda2fd3261cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.rar

Filesize
1.0MB

MD5
450fff26187a770596cb06eb124db704

SHA1
f6e269904fbbcebb13ce8fed0fad66683e0db353

SHA256
4b9d9964f9543635ed54bcce664e517687cfc0168beb23a36917a8dd31dc7a55

SHA512
ded34d1221c86d35143dcea4730084d98602fc0bc23173f3b904d72b0f9bfd6961d464538469112d35681f92d4e8ae15235d5e9f6ba53a809a73ca1227e996ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
7KB

MD5
af980e4647a9dc6317942c4c1499ab47

SHA1
ab60736a2b03ba5dfa13a9768af3e88508e28a7a

SHA256
7f718862360fd26799bae562327c03886ac588fc58d59884be519e377b5ddd50

SHA512
aa483af12562a0b6fc9632f606c30b5f661907e23781a44bb2b7db2d9461654536ca98696764909a94c1e6eabbb94c9674c4f5427926a55dbc22a9299beb58ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe.config

Filesize
565B

MD5
98dbb4a9bc384dca6b79a47886c42891

SHA1
028caef2a44a0bfc41ef8f0c7149952ff1022a01

SHA256
4e12056f6c6ff7d05f4dfd957586aeb41fe563677c57ae2fc43aff8aa2bcf970

SHA512
fabca42ffbba0e98ca5d90a95d2d849d27e42614b0c5dd6387e1994b7794e009fe27d060f26950527a614eb67319c12c2bc52563f975bfd4f570d5f7e58ee71e

Download Submit
\Users\Admin\AppData\Local\Temp\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
\Users\Admin\AppData\Local\Temp\installer.exe

Filesize
3.1MB

MD5
6b57fedea3f9e600b0820e785e666d42

SHA1
ba745c5e16946079f18677985bdf52a8cdcff747

SHA256
aa2b613ddd2f18cf1725d867e1bd447a378673c988086be0b0ac8eecbaaba6f6

SHA512
da73d2b783f69554a4a561bced65273dac5bfb16110a0053fd1b60b58231a93a29458e892def7d68072a5f76e935983f737fd128ab4a79041dfc6cc777fe0475

Download Submit
memory/808-72-0x0000000000A60000-0x0000000000D84000-memory.dmp

Filesize
3.1MB

Download
memory/1320-78-0x0000000000B80000-0x0000000000EA4000-memory.dmp

Filesize
3.1MB

Download
memory/2792-53-0x0000000000CC0000-0x0000000000CE6000-memory.dmp

Filesize
152KB

Download
memory/2792-61-0x0000000001020000-0x000000000103E000-memory.dmp

Filesize
120KB

Download
memory/2792-57-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/2792-65-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/2792-48-0x0000000000D70000-0x0000000000E06000-memory.dmp

Filesize
600KB

Download
memory/2792-42-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/2792-40-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download