quasar | 66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf

General

Target

x.ps1
Size

757KB
MD5

e9bf208781b60d91292c6177677e27f8
SHA1

364f17ba1b85e4c903157cb8a897f35fa48e73b7
SHA256

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
SHA512

3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
SSDEEP

12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Loads dropped DLL 1 IoCs

pid	Process
3588	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 1824	3588	powershell.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3588	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	1824	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3836	3588	powershell.exe	84
PID 3588 wrote to memory of 3836	3588	powershell.exe	84
PID 3836 wrote to memory of 1668	3836	csc.exe	85
PID 3836 wrote to memory of 1668	3836	csc.exe	85
PID 3588 wrote to memory of 1108	3588	powershell.exe	86
PID 3588 wrote to memory of 1108	3588	powershell.exe	86
PID 3588 wrote to memory of 1108	3588	powershell.exe	86
PID 3588 wrote to memory of 1824	3588	powershell.exe	87
PID 3588 wrote to memory of 1824	3588	powershell.exe	87
PID 3588 wrote to memory of 1824	3588	powershell.exe	87
PID 3588 wrote to memory of 1824	3588	powershell.exe	87
PID 3588 wrote to memory of 1824	3588	powershell.exe	87
PID 3588 wrote to memory of 1824	3588	powershell.exe	87
PID 3588 wrote to memory of 1824	3588	powershell.exe	87
PID 3588 wrote to memory of 1824	3588	powershell.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\x.ps1
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pljgfr20\pljgfr20.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DAC.tmp" "c:\Users\Admin\AppData\Local\Temp\pljgfr20\CSCDFC59BBB771B44D6BEC0FD6F4CAE7A46.TMP"
    3⤵
    PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7DAC.tmp

Filesize
1KB

MD5
1547d5246aacda37ac02499e02a6c0af

SHA1
e1d5ebf1a909a65ac17c188b107446a96cb59e21

SHA256
7a9f15a36dfc7f70ce602f6c416e633fa6741d268045d67c376497c7a39d129d

SHA512
40018d4347559077fef92891fffe28673fbeded586324e5740dd9532a209b929b0bc068e845763c20b365520e24fc9611586cd519f7612ce0fd1f3dacd6b0eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_empiz005.vh4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pljgfr20\pljgfr20.dll

Filesize
3KB

MD5
1de2fe9204912c8eccff861a217711cc

SHA1
923bb3ee77d767659226895062eb823fa193f1b6

SHA256
cdcd16cd3158f345b57f8689faa78cd11324d2e28a84b0ea46737802ca2ade7a

SHA512
0fd8e888be01af83a912c670d40763e622329b56c2ee8f0ea33e684e764c8c4d7b7370c637cd3f01bd60c0506df0093748ed2a37faf44a7f2535b9f3e06e97c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CD1.tmp

Filesize
12KB

MD5
e6b7078b6b145749c223b63690cf7822

SHA1
562145c8fdef211277dcfe2170cad2ba862dfdca

SHA256
7c0e07e3947e1c61818f8de92cb4cc4f27481507d32c01c1287750f5ff3b6620

SHA512
0a02bee32c2ff2b7a1b3574a4ad39c77e697b09cb61773b98c08c243adf1679246cc966b8f291077f7361a0dcf31c023ca4f2eeb99a37121b7652eabf23f0d5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pljgfr20\CSCDFC59BBB771B44D6BEC0FD6F4CAE7A46.TMP

Filesize
652B

MD5
e9e572b8eacd318fbf022b2291d230a9

SHA1
dc8eccfee6e6f0bb3142d2ed45010b35df018ba8

SHA256
1ff6cef92fcc1367fe48f2d001479de000ea8a24036c2eae91cd53c94ed16f68

SHA512
6d25ee8c6edfed84fb819029f803abfa0ecbc13cc889a4f28e6079ffc91d478a44194fcc89920c6c3355eba574a047d71bec8ed0b81ed8da7a5d297c6af28963

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pljgfr20\pljgfr20.0.cs

Filesize
241B

MD5
f26363a9e7c5371cc5f35b0eff60c1ba

SHA1
e896269d30c7044d4c98d7d04e22cb5f065a7834

SHA256
fa548d7ec20ebce463ff43a223d0df6f9648124ee0b648f52e8bfb44d16bb140

SHA512
de54c28d7c5bb60bb099ef1bc6089bfee9463e2ad70824089d88f48be98bb103c3680aff13ab736a891c4ef1b027fd6051ca9fdad9b19ebd31634b06f67fc0a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pljgfr20\pljgfr20.cmdline

Filesize
369B

MD5
c5e829df1305737051e041840856f75d

SHA1
62d4f788aaadd3cd2509d5e5d63308a1d5895a7f

SHA256
8e0c4100bea65df7d9f2ce5883ece99bc7955f47390cc7c9016624aa3ee3eb64

SHA512
b1fb6eeda9ea3e1c13874b4c0b86bfbe8a51c9d5f4ca74bab77acc46d565a3a815c8b40d03ecac2430619933c94aa6fa61fddf146574d7442f8d78574a0b1b1c

Download Submit
memory/1824-37-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/1824-44-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/1824-43-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/1824-42-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download
memory/1824-41-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/1824-40-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/1824-39-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/1824-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1824-38-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/3588-27-0x000001D27B2E0000-0x000001D27B2E8000-memory.dmp

Filesize
32KB

Download
memory/3588-36-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3588-32-0x000001D27C310000-0x000001D27C324000-memory.dmp

Filesize
80KB

Download
memory/3588-10-0x000001D27C340000-0x000001D27C362000-memory.dmp

Filesize
136KB

Download
memory/3588-0-0x00007FFCD9873000-0x00007FFCD9875000-memory.dmp

Filesize
8KB

Download
memory/3588-11-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3588-12-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download
memory/3588-13-0x00007FFCD9870000-0x00007FFCDA331000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing