quasar | 080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c

General

Target

080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe
Size

3.6MB
MD5

e709905ac50a6290aeda38c57e7f0048
SHA1

2d8760824802df5548a5e5d10ebec8ebd3851787
SHA256

080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c
SHA512

f55d5dd13ae515bb315d982e65ab1db378119957a8cc028b95b441a967770ebb5555dd61c30f51037d45560dc3091235196ffb191daee1620e5ba42d7cd5e353
SSDEEP

98304:ezdmPt6BByvuntOoqGYm8wBnPyYEKplZiD5zbjL:ezwkjyGZjBnPLxZiD5bL

Score

10^/10

quasar plmso discovery spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Plmso

C2

110.42.3.134:4782

Mutex

41ace1c3-9f4e-4d35-93fb-096ede244c3e

Attributes

encryption_key
980DB384AAAF5B8591D5B450BFA39547F61611DC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9a-22.dat	family_quasar
behavioral2/memory/2112-27-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe

Executes dropped EXE 3 IoCs

pid	Process
4644	MHClient-PLMSO.exe
2112	Client-built.exe
1536	Client.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1184-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1184-25-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHClient-PLMSO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2088	schtasks.exe
3068	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	Client-built.exe
Token: SeDebugPrivilege	1536	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1536	Client.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4644	1184	080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe	82
PID 1184 wrote to memory of 4644	1184	080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe	82
PID 1184 wrote to memory of 4644	1184	080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe	82
PID 1184 wrote to memory of 2112	1184	080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe	83
PID 1184 wrote to memory of 2112	1184	080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe	83
PID 2112 wrote to memory of 2088	2112	Client-built.exe	84
PID 2112 wrote to memory of 2088	2112	Client-built.exe	84
PID 2112 wrote to memory of 1536	2112	Client-built.exe	86
PID 2112 wrote to memory of 1536	2112	Client-built.exe	86
PID 1536 wrote to memory of 3068	1536	Client.exe	87
PID 1536 wrote to memory of 3068	1536	Client.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe
"C:\Users\Admin\AppData\Local\Temp\080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2088
- - C:\Windows\system32\SubDir\Client.exe
    "C:\Windows\system32\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe

Filesize
3.1MB

MD5
14cd7678d01abbc0e1015b8e1964e0e7

SHA1
c2c49bab56fa40e73cde621beeb03d55ffaff4c3

SHA256
d7c718649ad7fa5597fcd0a68061e47443b90cd1aeca057eed5b7d353ebaf6d6

SHA512
3279ade847f145564531f571a07a13b46f6366e9beb50eed520054eecf55d71ae10146a4029199654b681e16924e25fe31546901fbcc3222c1f4fcd9fa7db5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe

Filesize
7.4MB

MD5
2b28610e1506469dbe52a6b47ea29976

SHA1
d0fa7a8f0b4a74cddb89b605b953f962e1f652e9

SHA256
442722239c667f15c27edfe601350bfde833af2e20e169cba0df8dfd062cec5a

SHA512
a1b44293fe271955f11923e5f39ecc945057b03479e3ee4ef824dbc2b48774e23bfff10dbb0cdd3e8ce4e7e4286767ab5bbe355b64d0187a8449982ffd4ab48b

Download Submit
memory/1184-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1184-25-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1536-35-0x000000001DD70000-0x000000001DDC0000-memory.dmp

Filesize
320KB

Download
memory/1536-36-0x000000001DE80000-0x000000001DF32000-memory.dmp

Filesize
712KB

Download
memory/2112-26-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/2112-27-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/2112-28-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/2112-34-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/4644-20-0x0000000000400000-0x0000000000B5E000-memory.dmp

Filesize
7.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads