quasar | d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.4MB
MD5

15cb2f245ebee2dd12e4b8cea5aa0061
SHA1

0fe7b4c8a4336a9ca20b563bb4288f7bb352ad5e
SHA256

d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db
SHA512

39193ceb136f05e989cd0ab62bf77bf8d548536e958723311bfa9a30e9aae728f1a8c631dae1bfa6cf0a02f51673879c9901c9662d17d9e3ac953104bb02c6fa
SSDEEP

49152:DvqG42pda6D+/PjlLOlg6yQipVh2PzkMfq5oGdLlTHHB72eh2NT:DvN42pda6D+/PjlLOlZyQipVh2Pzcb

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

192.168.0.147:4782

101.56.195.62:4782

Matt10n3-57692.portmap.host:57692

Mutex

08e310ae-ecb8-4d83-b87f-95abe874bb4c

Attributes

encryption_key
7AC4D01862AC71A180B8FAEE5694E9D7B88EF662
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/2320-1-0x0000000000B00000-0x0000000000E64000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016276-5.dat	family_quasar
behavioral1/memory/2372-7-0x0000000001000000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/708-33-0x0000000001380000-0x00000000016E4000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2372	svchost.exe
1036	svchost.exe
708	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
836	PING.EXE
1188	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
836	PING.EXE
1188	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
596	schtasks.exe
1544	schtasks.exe
2392	schtasks.exe
2692	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	2372	svchost.exe
Token: SeDebugPrivilege	1036	svchost.exe
Token: SeDebugPrivilege	708	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2372	svchost.exe
1036	svchost.exe
708	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2392	2320	FlashingSoftwarePRO.exe	31
PID 2320 wrote to memory of 2392	2320	FlashingSoftwarePRO.exe	31
PID 2320 wrote to memory of 2392	2320	FlashingSoftwarePRO.exe	31
PID 2320 wrote to memory of 2372	2320	FlashingSoftwarePRO.exe	33
PID 2320 wrote to memory of 2372	2320	FlashingSoftwarePRO.exe	33
PID 2320 wrote to memory of 2372	2320	FlashingSoftwarePRO.exe	33
PID 2372 wrote to memory of 2692	2372	svchost.exe	34
PID 2372 wrote to memory of 2692	2372	svchost.exe	34
PID 2372 wrote to memory of 2692	2372	svchost.exe	34
PID 2372 wrote to memory of 2060	2372	svchost.exe	36
PID 2372 wrote to memory of 2060	2372	svchost.exe	36
PID 2372 wrote to memory of 2060	2372	svchost.exe	36
PID 2060 wrote to memory of 2104	2060	cmd.exe	38
PID 2060 wrote to memory of 2104	2060	cmd.exe	38
PID 2060 wrote to memory of 2104	2060	cmd.exe	38
PID 2060 wrote to memory of 836	2060	cmd.exe	39
PID 2060 wrote to memory of 836	2060	cmd.exe	39
PID 2060 wrote to memory of 836	2060	cmd.exe	39
PID 2060 wrote to memory of 1036	2060	cmd.exe	40
PID 2060 wrote to memory of 1036	2060	cmd.exe	40
PID 2060 wrote to memory of 1036	2060	cmd.exe	40
PID 1036 wrote to memory of 596	1036	svchost.exe	41
PID 1036 wrote to memory of 596	1036	svchost.exe	41
PID 1036 wrote to memory of 596	1036	svchost.exe	41
PID 1036 wrote to memory of 1928	1036	svchost.exe	44
PID 1036 wrote to memory of 1928	1036	svchost.exe	44
PID 1036 wrote to memory of 1928	1036	svchost.exe	44
PID 1928 wrote to memory of 1252	1928	cmd.exe	46
PID 1928 wrote to memory of 1252	1928	cmd.exe	46
PID 1928 wrote to memory of 1252	1928	cmd.exe	46
PID 1928 wrote to memory of 1188	1928	cmd.exe	47
PID 1928 wrote to memory of 1188	1928	cmd.exe	47
PID 1928 wrote to memory of 1188	1928	cmd.exe	47
PID 1928 wrote to memory of 708	1928	cmd.exe	48
PID 1928 wrote to memory of 708	1928	cmd.exe	48
PID 1928 wrote to memory of 708	1928	cmd.exe	48
PID 708 wrote to memory of 1544	708	svchost.exe	49
PID 708 wrote to memory of 1544	708	svchost.exe	49
PID 708 wrote to memory of 1544	708	svchost.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2392
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2692
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQIvgYij5Sel.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2104
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:836
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:596
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOaECJRJyOoO.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1252
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1188
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DQIvgYij5Sel.bat

Filesize
199B

MD5
26de81a671f84f38fc3537ee5b2d558c

SHA1
bcbaa03b7394c65ca665a0bb25694030187d50e2

SHA256
6ef6d5da23a850b3d407f631e6ef5659eb1ffb262cf7f1042cbb7b740b87d8bc

SHA512
17858b2356e941faf1cf7d8476858a2890b1b17838910dd63f4a06f7f1831b479357de3f1d7a04c4bc23d61fe7fb35f2302a88e039f909d99576f82a9bf938eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOaECJRJyOoO.bat

Filesize
199B

MD5
f41eb7efc7fae5d6120bbdfb6d854eaf

SHA1
d9ec394928c854d6da13791a4b14022e49e012cb

SHA256
c557718bca8c3d09d472da8df946eb26309a19e81ec0956812ae76fc10d123ec

SHA512
597167a2205c946182b6d6c2a55dc20725c21dc2a7e3f1907f78665423ba7f4f4950a1c16373985d4d270b46cbd4c7c91ba1fefc2d6de6d448aa27025c438388

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.4MB

MD5
15cb2f245ebee2dd12e4b8cea5aa0061

SHA1
0fe7b4c8a4336a9ca20b563bb4288f7bb352ad5e

SHA256
d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db

SHA512
39193ceb136f05e989cd0ab62bf77bf8d548536e958723311bfa9a30e9aae728f1a8c631dae1bfa6cf0a02f51673879c9901c9662d17d9e3ac953104bb02c6fa

Download Submit
memory/708-33-0x0000000001380000-0x00000000016E4000-memory.dmp

Filesize
3.4MB

Download
memory/2320-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/2320-8-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-1-0x0000000000B00000-0x0000000000E64000-memory.dmp

Filesize
3.4MB

Download
memory/2372-7-0x0000000001000000-0x0000000001364000-memory.dmp

Filesize
3.4MB

Download
memory/2372-9-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2372-10-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2372-11-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2372-21-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads