quasar | 66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf

General

Target

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf.ps1
Size

757KB
MD5

e9bf208781b60d91292c6177677e27f8
SHA1

364f17ba1b85e4c903157cb8a897f35fa48e73b7
SHA256

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
SHA512

3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
SSDEEP

12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Loads dropped DLL 1 IoCs

pid	Process
1868	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 2260	1868	powershell.exe	89

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1868	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2260	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1160	1868	powershell.exe	85
PID 1868 wrote to memory of 1160	1868	powershell.exe	85
PID 1160 wrote to memory of 1896	1160	csc.exe	86
PID 1160 wrote to memory of 1896	1160	csc.exe	86
PID 1868 wrote to memory of 376	1868	powershell.exe	87
PID 1868 wrote to memory of 376	1868	powershell.exe	87
PID 1868 wrote to memory of 376	1868	powershell.exe	87
PID 1868 wrote to memory of 3932	1868	powershell.exe	88
PID 1868 wrote to memory of 3932	1868	powershell.exe	88
PID 1868 wrote to memory of 3932	1868	powershell.exe	88
PID 1868 wrote to memory of 2260	1868	powershell.exe	89
PID 1868 wrote to memory of 2260	1868	powershell.exe	89
PID 1868 wrote to memory of 2260	1868	powershell.exe	89
PID 1868 wrote to memory of 2260	1868	powershell.exe	89
PID 1868 wrote to memory of 2260	1868	powershell.exe	89
PID 1868 wrote to memory of 2260	1868	powershell.exe	89
PID 1868 wrote to memory of 2260	1868	powershell.exe	89
PID 1868 wrote to memory of 2260	1868	powershell.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf.ps1
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w2blcdws\w2blcdws.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC58.tmp" "c:\Users\Admin\AppData\Local\Temp\w2blcdws\CSCE3D1C893AE9749ABAD2FF234B48DC636.TMP"
    3⤵
    PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:3932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCC58.tmp

Filesize
1KB

MD5
c571af45951fb680ed3783c473af4449

SHA1
b7012e5b459168cb50c30d16b64c784cfc5b5609

SHA256
b8641eaac9af6a3f29a1c14874c8e8c5537b18507a06ca73a8efeae763a8070b

SHA512
994ffb548b0ca4d204cf1c471f25599e94e3551f2197f61eb27f7cf30568e015ca34220694afa8f3baaa7a6224132922b898ad382dac5b0d17bdbe35ab1ce750

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvrwgqtu.emt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB8D.tmp

Filesize
12KB

MD5
e6b7078b6b145749c223b63690cf7822

SHA1
562145c8fdef211277dcfe2170cad2ba862dfdca

SHA256
7c0e07e3947e1c61818f8de92cb4cc4f27481507d32c01c1287750f5ff3b6620

SHA512
0a02bee32c2ff2b7a1b3574a4ad39c77e697b09cb61773b98c08c243adf1679246cc966b8f291077f7361a0dcf31c023ca4f2eeb99a37121b7652eabf23f0d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2blcdws\w2blcdws.dll

Filesize
3KB

MD5
d8f9196aad6d5b98831ebcdf077ee30b

SHA1
35469e3e5df6953ab53489197fb273f693839812

SHA256
5042cdb6079cf61a9dda06d9296662161c09c636d1701382ef0e10ed95334f4e

SHA512
384f83b24e0b32953979436b7841de5954237fa93e091c5b368ba92769270516f27cd838bc8e807c646827bf4e8b4263f4d0865ddd55f9d17318691c3ba4ada7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2blcdws\CSCE3D1C893AE9749ABAD2FF234B48DC636.TMP

Filesize
652B

MD5
d9732c0805f46fe3908714967aeb6d87

SHA1
2a7f6a8070f203cb8ba7deb182c17def2f37b183

SHA256
9acd2a8b39f12cbc5ec262704cb1f2fa27022a1b34bb3195d4914673d952ee14

SHA512
2a17bb376db581006c1f058ff10828d7dd03b05295370995daef1da136c7de9bdee3bb62d509fadca9a3a9d0dfbcc9374f14211f84814f632b0137579e5799fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2blcdws\w2blcdws.0.cs

Filesize
241B

MD5
24fe9a70c3a9dbc96126c0b6edaba5ca

SHA1
f49c7237ecfae9dfbb6c203a1ce754c9e8caf46e

SHA256
9a42dd46a630514bc4e4717308107b6c483ee3e31b05abb1dd5f832bbdf01f5d

SHA512
ac0a1c20faea45f3d480fffab0b1dbab4974e7e054f5465b6e67c7f6e09af98803a8c61610032e30a7b2ed25d01ae653d2f5c63d9078b3464800fdcc94aa2001

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2blcdws\w2blcdws.cmdline

Filesize
369B

MD5
6e2d7436da5c36197194790451183579

SHA1
cda7c48b44098431ef0d5affcefd957092f54c2f

SHA256
3d99e33175ad2efedc2389d5f814d392f0246c512f7212d386e72f934933b8c0

SHA512
d7afcab0d7336f3bfaff3a6f24a2cf96ebfdfb8b0478bee900e9c2327030bcbdb0e8f84cb0f77ac24b02a504ba3a7066869fcf8fb2f05c4edd6123e7b19d199d

Download Submit
memory/1868-31-0x000001D199E80000-0x000001D199E94000-memory.dmp

Filesize
80KB

Download
memory/1868-36-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/1868-11-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/1868-26-0x000001D199E20000-0x000001D199E28000-memory.dmp

Filesize
32KB

Download
memory/1868-10-0x000001D1FFAD0000-0x000001D1FFAF2000-memory.dmp

Filesize
136KB

Download
memory/1868-0-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/1868-12-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/1868-35-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/2260-37-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/2260-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2260-38-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/2260-39-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/2260-40-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/2260-41-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2260-42-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/2260-43-0x00000000064B0000-0x00000000064BA000-memory.dmp

Filesize
40KB

Download
memory/2260-44-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing