quasar | 6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411

Analysis

max time kernel
39s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

emmasBackdoor.exe
Size

2.9MB
MD5

0266f80fe6efd3e3e4bd0363d17bcbde
SHA1

b144914eb53d2e35e410be64d2db052d06d680df
SHA256

6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411
SHA512

21174624b988b26d16ba96c57b65a0dd0c0fa02d5396ca29c5cc11851f7546a528e1343f3216b224f3deebb1e749ac1dfd02fc5485bf4a0dd5b6d0983c496ac8
SSDEEP

49152:EwREDDMVBq77B4L8lXQn/zJNGJ7YTpZIn+lD2GgWinoaDFO/82:EwRE8q77B44+zJNN1aHNo2O/82

Score

10^/10

quasar emmassub discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

EmmasSub

rath3r.xyz:4782

Mutex

7126373e-e872-4f94-bbbb-42e88d57137b

Attributes

encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
install_name
Windows.WARP.JITService.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftUpdateTaskMachineCore
subdirectory
ice

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001a00000002ab8f-68.dat	family_quasar
behavioral2/memory/4172-75-0x0000000000390000-0x00000000006B4000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
3204	emmasBackdoor.tmp
4172	Client.exe
1500	Windows.WARP.JITService.exe
2488	Client.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\ice	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Windows.WARP.JITService.exe
File opened for modification	C:\Windows\system32\ice	Windows.WARP.JITService.exe
File created	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\Client.exe	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-0PVJQ.tmp	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-50VF6.tmp	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1464	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe\" \"%1\""	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\DefaultIcon	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe,0"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\ = "EmmasBackdoor File"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes\.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe	emmasBackdoor.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5500	schtasks.exe
124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1464	powershell.exe
1464	powershell.exe
3204	emmasBackdoor.tmp
3204	emmasBackdoor.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4172	Client.exe
Token: SeDebugPrivilege	1500	Windows.WARP.JITService.exe
Token: SeDebugPrivilege	2488	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3204	emmasBackdoor.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1500	Windows.WARP.JITService.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5264 wrote to memory of 3204	5264	emmasBackdoor.exe	77
PID 5264 wrote to memory of 3204	5264	emmasBackdoor.exe	77
PID 5264 wrote to memory of 3204	5264	emmasBackdoor.exe	77
PID 3204 wrote to memory of 1464	3204	emmasBackdoor.tmp	78
PID 3204 wrote to memory of 1464	3204	emmasBackdoor.tmp	78
PID 3204 wrote to memory of 1464	3204	emmasBackdoor.tmp	78
PID 3204 wrote to memory of 4172	3204	emmasBackdoor.tmp	81
PID 3204 wrote to memory of 4172	3204	emmasBackdoor.tmp	81
PID 4172 wrote to memory of 5500	4172	Client.exe	82
PID 4172 wrote to memory of 5500	4172	Client.exe	82
PID 4172 wrote to memory of 1500	4172	Client.exe	84
PID 4172 wrote to memory of 1500	4172	Client.exe	84
PID 1500 wrote to memory of 124	1500	Windows.WARP.JITService.exe	85
PID 1500 wrote to memory of 124	1500	Windows.WARP.JITService.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe
"C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5264
- C:\Users\Admin\AppData\Local\Temp\is-FQS2L.tmp\emmasBackdoor.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FQS2L.tmp\emmasBackdoor.tmp" /SL5="$B0230,1909968,965632,C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-EG8VV.tmp\disable_defender.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Program Files (x86)\EmmasBackdoor\Client.exe
    "C:\Program Files (x86)\EmmasBackdoor\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5500
  - - C:\Windows\system32\ice\Windows.WARP.JITService.exe
      "C:\Windows\system32\ice\Windows.WARP.JITService.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:124

C:\Program Files (x86)\EmmasBackdoor\Client.exe
"C:\Program Files (x86)\EmmasBackdoor\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EmmasBackdoor\Client.exe

Filesize
3.1MB

MD5
66ebe604ddf4d6ab60a183f515536528

SHA1
278782873ae0a5cac94add051edfc12e223be55c

SHA256
37e733731381c02941e4a8da30350cf968532d08012b6bb91e525241e8ee2c86

SHA512
756de51b5f6116640736f7dd37faf6172db79c8eaf8da17ba1e3d788d5c0179a01746f7d30044ca5c535c1b3d938bfde3e5d810b7fe50815030be8a5288c2bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1yy10lz.n5f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EG8VV.tmp\disable_defender.ps1

Filesize
544B

MD5
3568227fbb730d48fa31d13e87f9a370

SHA1
83ac8fbb2b9c35337f372977fe3323f63060c5ff

SHA256
a06e1c77a4ab2a13f90dc2f86bbb4cb662f2bd10b1f805b1b7745af4c2ad3698

SHA512
2b8863dbdc4c980eac867e600ca008261d046a99bf40cfc02a350ec45a04e3a7b958b21219ad0a26b339336f779ba167aa84c45dbe4d9d9ada004c4515ba6d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQS2L.tmp\emmasBackdoor.tmp

Filesize
3.3MB

MD5
95c49a50069cf27284ac7b186df5aae0

SHA1
4120193848e7726aac277f9ea6e4b3670342ed03

SHA256
9f62b6f4c234ded050162b55a9c6de0c604578dee34462b96615e48169a485bb

SHA512
f6d3fd7454943aac838cd81e17c35787747185e0736823424453ffbf375da1e921dba0a5ce88a05f7a71e2ac367d47ee8fbabbd529f48997b99f1a3afa5370cd

Download Submit
memory/1464-42-0x0000000073FA0000-0x0000000074751000-memory.dmp

Filesize
7.7MB

Download
memory/1464-46-0x0000000007120000-0x00000000071B6000-memory.dmp

Filesize
600KB

Download
memory/1464-11-0x0000000073FA0000-0x0000000074751000-memory.dmp

Filesize
7.7MB

Download
memory/1464-13-0x0000000004C70000-0x0000000004C92000-memory.dmp

Filesize
136KB

Download
memory/1464-14-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/1464-15-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/1464-10-0x00000000046A0000-0x00000000046D6000-memory.dmp

Filesize
216KB

Download
memory/1464-24-0x0000000005650000-0x00000000059A7000-memory.dmp

Filesize
3.3MB

Download
memory/1464-25-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/1464-26-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/1464-9-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/1464-29-0x00000000701B0000-0x00000000701FC000-memory.dmp

Filesize
304KB

Download
memory/1464-28-0x0000000006130000-0x0000000006164000-memory.dmp

Filesize
208KB

Download
memory/1464-38-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/1464-39-0x0000000073FA0000-0x0000000074751000-memory.dmp

Filesize
7.7MB

Download
memory/1464-40-0x0000000006D40000-0x0000000006DE4000-memory.dmp

Filesize
656KB

Download
memory/1464-41-0x0000000073FA0000-0x0000000074751000-memory.dmp

Filesize
7.7MB

Download
memory/1464-56-0x0000000073FA0000-0x0000000074751000-memory.dmp

Filesize
7.7MB

Download
memory/1464-43-0x0000000007520000-0x0000000007B9A000-memory.dmp

Filesize
6.5MB

Download
memory/1464-44-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

Filesize
104KB

Download
memory/1464-45-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/1464-12-0x0000000004D10000-0x000000000533A000-memory.dmp

Filesize
6.2MB

Download
memory/1464-47-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/1464-48-0x00000000070D0000-0x00000000070DE000-memory.dmp

Filesize
56KB

Download
memory/1464-49-0x00000000070E0000-0x00000000070F5000-memory.dmp

Filesize
84KB

Download
memory/1464-50-0x00000000071C0000-0x00000000071DA000-memory.dmp

Filesize
104KB

Download
memory/1464-51-0x00000000071E0000-0x00000000071E8000-memory.dmp

Filesize
32KB

Download
memory/1464-52-0x0000000007210000-0x0000000007232000-memory.dmp

Filesize
136KB

Download
memory/1464-53-0x0000000008150000-0x00000000086F6000-memory.dmp

Filesize
5.6MB

Download
memory/1500-85-0x000000001C2C0000-0x000000001C310000-memory.dmp

Filesize
320KB

Download
memory/1500-86-0x000000001C3D0000-0x000000001C482000-memory.dmp

Filesize
712KB

Download
memory/1500-89-0x000000001CBC0000-0x000000001D0E8000-memory.dmp

Filesize
5.2MB

Download
memory/3204-57-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3204-59-0x0000000000D20000-0x0000000001079000-memory.dmp

Filesize
3.3MB

Download
memory/3204-6-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3204-83-0x0000000000D20000-0x0000000001079000-memory.dmp

Filesize
3.3MB

Download
memory/4172-75-0x0000000000390000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/5264-0-0x0000000000AA0000-0x0000000000B9A000-memory.dmp

Filesize
1000KB

Download
memory/5264-58-0x0000000000AA0000-0x0000000000B9A000-memory.dmp

Filesize
1000KB

Download
memory/5264-84-0x0000000000AA0000-0x0000000000B9A000-memory.dmp

Filesize
1000KB

Download
memory/5264-2-0x0000000000AA1000-0x0000000000B49000-memory.dmp

Filesize
672KB

Download