quasar | fdb43a2f99ffb4ac9cd2a2a0eeffa531de224b45f4b8cce0bd700a89f1f54e01

General

Target

Client-built.exe
Size

3.1MB
MD5

3c8875bb8a38b7b3a8ae874e24461da5
SHA1

c2cbcf60e8c3639ec777fbdd614c97a5ae854117
SHA256

fdb43a2f99ffb4ac9cd2a2a0eeffa531de224b45f4b8cce0bd700a89f1f54e01
SHA512

23c8975c12f5d88bbb3845b0154f3bb3ea4e24bdc98f571a3ecb61cfbbc0aa25cbbb0176d2ab990c811c1d15ff7ba1fb92a185bad2c52114e7d0fdf721009f53
SSDEEP

49152:6vUt62XlaSFNWPjljiFa2RoUYIVa6uEBDik/SZoGd8THHB72eh2NT:6vI62XlaSFNWPjljiFXRoUYIVa6q

Score

10^/10

quasar kys spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

kys

C2

192.168.100.2:4444

Mutex

87964754-44e1-4ed3-a66e-f8de30cfe006

Attributes

encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
install_name
Panel.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Panel
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2732-1-0x0000000000B50000-0x0000000000E74000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d0e-6.dat	family_quasar
behavioral1/memory/2404-9-0x0000000000B80000-0x0000000000EA4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2404	Panel.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Panel.exe
File created	C:\Windows\system32\SubDir\Panel.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Panel.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Panel.exe	Panel.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe
2740	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	Client-built.exe
Token: SeDebugPrivilege	2404	Panel.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2404	Panel.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2840	2732	Client-built.exe	30
PID 2732 wrote to memory of 2840	2732	Client-built.exe	30
PID 2732 wrote to memory of 2840	2732	Client-built.exe	30
PID 2732 wrote to memory of 2404	2732	Client-built.exe	32
PID 2732 wrote to memory of 2404	2732	Client-built.exe	32
PID 2732 wrote to memory of 2404	2732	Client-built.exe	32
PID 2404 wrote to memory of 2740	2404	Panel.exe	33
PID 2404 wrote to memory of 2740	2404	Panel.exe	33
PID 2404 wrote to memory of 2740	2404	Panel.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Panel" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Panel.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2840
- C:\Windows\system32\SubDir\Panel.exe
  "C:\Windows\system32\SubDir\Panel.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Panel" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Panel.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SubDir\Panel.exe

Filesize
3.1MB

MD5
3c8875bb8a38b7b3a8ae874e24461da5

SHA1
c2cbcf60e8c3639ec777fbdd614c97a5ae854117

SHA256
fdb43a2f99ffb4ac9cd2a2a0eeffa531de224b45f4b8cce0bd700a89f1f54e01

SHA512
23c8975c12f5d88bbb3845b0154f3bb3ea4e24bdc98f571a3ecb61cfbbc0aa25cbbb0176d2ab990c811c1d15ff7ba1fb92a185bad2c52114e7d0fdf721009f53

Download Submit
memory/2404-11-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-10-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-9-0x0000000000B80000-0x0000000000EA4000-memory.dmp

Filesize
3.1MB

Download
memory/2404-12-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x0000000000B50000-0x0000000000E74000-memory.dmp

Filesize
3.1MB

Download
memory/2732-2-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-8-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads