quasar | d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db

General

Target

FlashingSoftwarePRO.exe
Size

3.4MB
MD5

15cb2f245ebee2dd12e4b8cea5aa0061
SHA1

0fe7b4c8a4336a9ca20b563bb4288f7bb352ad5e
SHA256

d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db
SHA512

39193ceb136f05e989cd0ab62bf77bf8d548536e958723311bfa9a30e9aae728f1a8c631dae1bfa6cf0a02f51673879c9901c9662d17d9e3ac953104bb02c6fa
SSDEEP

49152:DvqG42pda6D+/PjlLOlg6yQipVh2PzkMfq5oGdLlTHHB72eh2NT:DvN42pda6D+/PjlLOlZyQipVh2Pzcb

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

C2

192.168.0.147:4782

101.56.195.62:4782

Matt10n3-57692.portmap.host:57692

Mutex

08e310ae-ecb8-4d83-b87f-95abe874bb4c

Attributes

encryption_key
7AC4D01862AC71A180B8FAEE5694E9D7B88EF662
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2880-1-0x0000000000CC0000-0x0000000001024000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c14-5.dat	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2932	svchost.exe
3968	svchost.exe
3624	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1000	PING.EXE
4112	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1000	PING.EXE
4112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4688	schtasks.exe
1872	schtasks.exe
3488	schtasks.exe
4856	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	2932	svchost.exe
Token: SeDebugPrivilege	3968	svchost.exe
Token: SeDebugPrivilege	3624	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2932	svchost.exe
3968	svchost.exe
3624	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 4688	2880	FlashingSoftwarePRO.exe	83
PID 2880 wrote to memory of 4688	2880	FlashingSoftwarePRO.exe	83
PID 2880 wrote to memory of 2932	2880	FlashingSoftwarePRO.exe	85
PID 2880 wrote to memory of 2932	2880	FlashingSoftwarePRO.exe	85
PID 2932 wrote to memory of 1872	2932	svchost.exe	87
PID 2932 wrote to memory of 1872	2932	svchost.exe	87
PID 2932 wrote to memory of 3144	2932	svchost.exe	106
PID 2932 wrote to memory of 3144	2932	svchost.exe	106
PID 3144 wrote to memory of 4272	3144	cmd.exe	108
PID 3144 wrote to memory of 4272	3144	cmd.exe	108
PID 3144 wrote to memory of 1000	3144	cmd.exe	109
PID 3144 wrote to memory of 1000	3144	cmd.exe	109
PID 3144 wrote to memory of 3968	3144	cmd.exe	112
PID 3144 wrote to memory of 3968	3144	cmd.exe	112
PID 3968 wrote to memory of 3488	3968	svchost.exe	113
PID 3968 wrote to memory of 3488	3968	svchost.exe	113
PID 3968 wrote to memory of 4848	3968	svchost.exe	116
PID 3968 wrote to memory of 4848	3968	svchost.exe	116
PID 4848 wrote to memory of 3644	4848	cmd.exe	118
PID 4848 wrote to memory of 3644	4848	cmd.exe	118
PID 4848 wrote to memory of 4112	4848	cmd.exe	119
PID 4848 wrote to memory of 4112	4848	cmd.exe	119
PID 4848 wrote to memory of 3624	4848	cmd.exe	121
PID 4848 wrote to memory of 3624	4848	cmd.exe	121
PID 3624 wrote to memory of 4856	3624	svchost.exe	122
PID 3624 wrote to memory of 4856	3624	svchost.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4688
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVNHcNF6Tr1t.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4272
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1000
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQCRQLfbgK1N.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3644
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4112
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVNHcNF6Tr1t.bat

Filesize
199B

MD5
164dab58356e52a43ede594d7559e57f

SHA1
17be56a9ef8581992c42557214ec6d41966ed29f

SHA256
1d86f0ed2702d0811388346476923f2cf4fbef10b14937f88872228ce319658e

SHA512
1638c96a511754d2886147a2bb9db5527842b06f9c7518bb5697ac6a67de34b412b311e892abbc534edf2d8fb526f50157a7b0fe8afe6fd662303c2c0bbab608

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQCRQLfbgK1N.bat

Filesize
199B

MD5
ac2a362c8345ad619794113c43bd51d3

SHA1
4cd84c3b4e2a41b66fd04a0739c4e89f6f3546a3

SHA256
2bfdeebd884c191b7afdd9fac950bd3a76684d94affc2af6af6c9527f5d0dacb

SHA512
1c23273230f1a43e720e55354875768539b1b3011c0c7aba681295a134daf13c3173496349663ac8f5f3033a66c5153dcd98416f51e3f4343de1c26272fcce83

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.4MB

MD5
15cb2f245ebee2dd12e4b8cea5aa0061

SHA1
0fe7b4c8a4336a9ca20b563bb4288f7bb352ad5e

SHA256
d6d5f4a8d6476063c19d34d4c28d4940258f6fba0aad2fdccd42f812496f59db

SHA512
39193ceb136f05e989cd0ab62bf77bf8d548536e958723311bfa9a30e9aae728f1a8c631dae1bfa6cf0a02f51673879c9901c9662d17d9e3ac953104bb02c6fa

Download Submit
memory/2880-1-0x0000000000CC0000-0x0000000001024000-memory.dmp

Filesize
3.4MB

Download
memory/2880-2-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download
memory/2880-9-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download
memory/2880-0-0x00007FFF30AC3000-0x00007FFF30AC5000-memory.dmp

Filesize
8KB

Download
memory/2932-10-0x000000001D250000-0x000000001D2A0000-memory.dmp

Filesize
320KB

Download
memory/2932-17-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download
memory/2932-12-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download
memory/2932-11-0x000000001D360000-0x000000001D412000-memory.dmp

Filesize
712KB

Download
memory/2932-8-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads