quasar | 080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c

General

Target

E709905AC50A6290AEDA38C57E7F0048.exe
Size

3.6MB
MD5

e709905ac50a6290aeda38c57e7f0048
SHA1

2d8760824802df5548a5e5d10ebec8ebd3851787
SHA256

080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c
SHA512

f55d5dd13ae515bb315d982e65ab1db378119957a8cc028b95b441a967770ebb5555dd61c30f51037d45560dc3091235196ffb191daee1620e5ba42d7cd5e353
SSDEEP

98304:ezdmPt6BByvuntOoqGYm8wBnPyYEKplZiD5zbjL:ezwkjyGZjBnPLxZiD5bL

Score

10^/10

quasar plmso discovery spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Plmso

C2

110.42.3.134:4782

Mutex

41ace1c3-9f4e-4d35-93fb-096ede244c3e

Attributes

encryption_key
980DB384AAAF5B8591D5B450BFA39547F61611DC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b98-14.dat	family_quasar
behavioral2/memory/1544-26-0x0000000000E80000-0x00000000011A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	E709905AC50A6290AEDA38C57E7F0048.exe

Executes dropped EXE 3 IoCs

pid	Process
1392	MHClient-PLMSO.exe
1544	Client-built.exe
3904	Client.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4588-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4588-24-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E709905AC50A6290AEDA38C57E7F0048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHClient-PLMSO.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2392	schtasks.exe
1224	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	Client-built.exe
Token: SeDebugPrivilege	3904	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3904	Client.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 1392	4588	E709905AC50A6290AEDA38C57E7F0048.exe	84
PID 4588 wrote to memory of 1392	4588	E709905AC50A6290AEDA38C57E7F0048.exe	84
PID 4588 wrote to memory of 1392	4588	E709905AC50A6290AEDA38C57E7F0048.exe	84
PID 4588 wrote to memory of 1544	4588	E709905AC50A6290AEDA38C57E7F0048.exe	85
PID 4588 wrote to memory of 1544	4588	E709905AC50A6290AEDA38C57E7F0048.exe	85
PID 1544 wrote to memory of 2392	1544	Client-built.exe	86
PID 1544 wrote to memory of 2392	1544	Client-built.exe	86
PID 1544 wrote to memory of 3904	1544	Client-built.exe	88
PID 1544 wrote to memory of 3904	1544	Client-built.exe	88
PID 3904 wrote to memory of 1224	3904	Client.exe	89
PID 3904 wrote to memory of 1224	3904	Client.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\E709905AC50A6290AEDA38C57E7F0048.exe
"C:\Users\Admin\AppData\Local\Temp\E709905AC50A6290AEDA38C57E7F0048.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2392
- - C:\Windows\system32\SubDir\Client.exe
    "C:\Windows\system32\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe

Filesize
3.1MB

MD5
14cd7678d01abbc0e1015b8e1964e0e7

SHA1
c2c49bab56fa40e73cde621beeb03d55ffaff4c3

SHA256
d7c718649ad7fa5597fcd0a68061e47443b90cd1aeca057eed5b7d353ebaf6d6

SHA512
3279ade847f145564531f571a07a13b46f6366e9beb50eed520054eecf55d71ae10146a4029199654b681e16924e25fe31546901fbcc3222c1f4fcd9fa7db5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe

Filesize
7.4MB

MD5
2b28610e1506469dbe52a6b47ea29976

SHA1
d0fa7a8f0b4a74cddb89b605b953f962e1f652e9

SHA256
442722239c667f15c27edfe601350bfde833af2e20e169cba0df8dfd062cec5a

SHA512
a1b44293fe271955f11923e5f39ecc945057b03479e3ee4ef824dbc2b48774e23bfff10dbb0cdd3e8ce4e7e4286767ab5bbe355b64d0187a8449982ffd4ab48b

Download Submit
memory/1392-23-0x0000000000400000-0x0000000000B5E000-memory.dmp

Filesize
7.4MB

Download
memory/1544-25-0x00007FFEEB9B3000-0x00007FFEEB9B5000-memory.dmp

Filesize
8KB

Download
memory/1544-26-0x0000000000E80000-0x00000000011A4000-memory.dmp

Filesize
3.1MB

Download
memory/1544-27-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/1544-33-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

Filesize
10.8MB

Download
memory/3904-34-0x000000001C5C0000-0x000000001C610000-memory.dmp

Filesize
320KB

Download
memory/3904-35-0x000000001C6D0000-0x000000001C782000-memory.dmp

Filesize
712KB

Download
memory/4588-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4588-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads