quasar | ff7b72753ea2b80b03ad5275cc0987114997cc6ca55d81698fc679f7d35551f0

General

Target

47a0c991d1dba2805305515d93b174db.exe
Size

42.8MB
MD5

47a0c991d1dba2805305515d93b174db
SHA1

dafffc1e5e242f125cee49200f4e094974a1ae71
SHA256

ff7b72753ea2b80b03ad5275cc0987114997cc6ca55d81698fc679f7d35551f0
SHA512

092c9cd414760f35d41f5c07bca3535edbb7048485d6bd87a35cf88c05e51fc30e12d6cec3ee86ce46e4abdc89354be1fda145ed7b04c85955204a302512ea84
SSDEEP

393216:L76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfInVQx4urYsANulL7NF:L0LoCOn+2Is4urYDNulLBiuh

Score

10^/10

quasar tools discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Tools

C2

81.17.96.75:63009

Mutex

60b20d0a-a0cd-4b27-a870-970b6c27e2bc

Attributes

encryption_key
94C6FF9C4A9CE8C5D400630879382E5892756A94
install_name
Tools.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Tools
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2860-30-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2772	Tools.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	Tools.exe
2772	Tools.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 2860	2772	Tools.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4956	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	msbuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2772	2780	47a0c991d1dba2805305515d93b174db.exe	84
PID 2780 wrote to memory of 2772	2780	47a0c991d1dba2805305515d93b174db.exe	84
PID 2772 wrote to memory of 3352	2772	Tools.exe	85
PID 2772 wrote to memory of 3352	2772	Tools.exe	85
PID 2772 wrote to memory of 3352	2772	Tools.exe	85
PID 2772 wrote to memory of 3352	2772	Tools.exe	85
PID 2772 wrote to memory of 5000	2772	Tools.exe	86
PID 2772 wrote to memory of 5000	2772	Tools.exe	86
PID 2772 wrote to memory of 5000	2772	Tools.exe	86
PID 2772 wrote to memory of 5000	2772	Tools.exe	86
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2772 wrote to memory of 2860	2772	Tools.exe	87
PID 2860 wrote to memory of 4956	2860	msbuild.exe	91
PID 2860 wrote to memory of 4956	2860	msbuild.exe	91
PID 2860 wrote to memory of 4956	2860	msbuild.exe	91

C:\Users\Admin\AppData\Local\Temp\47a0c991d1dba2805305515d93b174db.exe
"C:\Users\Admin\AppData\Local\Temp\47a0c991d1dba2805305515d93b174db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\f10fde7845c4741761d8f0307507637a\Tools.exe
  C:\Users\Admin\AppData\Local\Temp\f10fde7845c4741761d8f0307507637a\Tools.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:5000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Tools.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f10fde7845c4741761d8f0307507637a\Tools.exe

Filesize
33KB

MD5
d5e7ca586d423e46e5718d13679eef7c

SHA1
25357313d641c8472633eda9f056be7c0ae0b948

SHA256
3bdcd9ca8cb9f31b8c4f280cf75129e330e124604aeb64e3f81822393b1e5a0d

SHA512
b09b1e9d938cd9944182c8d9feaf69eb2dd284f39092ccb010fc0ac4b97598fe75a11b5b20d71d937494f092695cd642db78436050e2e5b64ec0c05e3deff335

Download Submit
C:\Users\Admin\AppData\Local\Temp\f10fde7845c4741761d8f0307507637a\VCRUNTIME140.dll

Filesize
115KB

MD5
f11e77313700cc647ab6fafb0e0254eb

SHA1
9950320220ae5fbb90619bd420a6546d8e529db6

SHA256
bd38963624cc1cd5cc6642bb0ef2b37ae02b0557f115c9ef5df2a00132389962

SHA512
60be8450ac60bf4256507988adc9025f0b4acf78bd56bc270dc4cbc03cafb3a0e6d64d29ee3c346212a9920c0d1279986cefe0ba2689312809550d184743a16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f10fde7845c4741761d8f0307507637a\concrt140e.dll

Filesize
3.1MB

MD5
8084c506c5d9a502c94e983765730ba2

SHA1
006292f837e03113094e45e16bfeee1d360239df

SHA256
b8a89b5d8715c3cbd56b76f9c9ad01154b69b2e8f1f0d2d42fdb29c8960812a2

SHA512
eab2ed81632869d5cb8e179a8fc206e1d3d567c61f6d1438a582414a2cd9f0e40fc8c5ee8d4ab4d3434dcc8aa3e1f4b9fa5b0e9b0d98f5a36abbb92e8f713294

Download Submit
C:\Users\Admin\AppData\Local\Temp\f10fde7845c4741761d8f0307507637a\jli.dll

Filesize
1.5MB

MD5
b288e2799a6aa020057ab8c9b203bfa6

SHA1
785737e76df95e112ef0a3166d61488993eaae58

SHA256
1c75498bb5c1db335f0a24afe8a55f84210d5feb3be401eab9c15ac911b96bbd

SHA512
d6bcbd275f609b6972c5d9bcfbe8e6b0085d9739b7c212663ff0c8e3c9b4fcab71fde4bac34d9bb5a8fe68f268a2abebd7414edaa454ebdc25dd233026738e19

Download Submit
memory/2860-34-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/2860-37-0x0000000006330000-0x0000000006380000-memory.dmp

Filesize
320KB

Download
memory/2860-32-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/2860-33-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/2860-30-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2860-35-0x00000000054D0000-0x00000000054DA000-memory.dmp

Filesize
40KB

Download
memory/2860-36-0x00000000067E0000-0x0000000006DF8000-memory.dmp

Filesize
6.1MB

Download
memory/2860-31-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/2860-38-0x00000000065A0000-0x0000000006652000-memory.dmp

Filesize
712KB

Download
memory/2860-41-0x0000000007760000-0x0000000007772000-memory.dmp

Filesize
72KB

Download
memory/2860-42-0x00000000077C0000-0x00000000077FC000-memory.dmp

Filesize
240KB

Download
memory/2860-43-0x0000000007870000-0x00000000078D6000-memory.dmp

Filesize
408KB

Download
memory/2860-44-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/2860-45-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads