quasar | 6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411

General

Target

emmasBackdoor.exe
Size

2.9MB
MD5

0266f80fe6efd3e3e4bd0363d17bcbde
SHA1

b144914eb53d2e35e410be64d2db052d06d680df
SHA256

6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411
SHA512

21174624b988b26d16ba96c57b65a0dd0c0fa02d5396ca29c5cc11851f7546a528e1343f3216b224f3deebb1e749ac1dfd02fc5485bf4a0dd5b6d0983c496ac8
SSDEEP

49152:EwREDDMVBq77B4L8lXQn/zJNGJ7YTpZIn+lD2GgWinoaDFO/82:EwRE8q77B44+zJNN1aHNo2O/82

Score

10^/10

quasar emmassub discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

EmmasSub

C2

rath3r.xyz:4782

Mutex

7126373e-e872-4f94-bbbb-42e88d57137b

Attributes

encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
install_name
Windows.WARP.JITService.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftUpdateTaskMachineCore
subdirectory
ice

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018706-24.dat	family_quasar
behavioral1/memory/864-34-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/1800-43-0x0000000000BD0000-0x0000000000EF4000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2504	emmasBackdoor.tmp
864	Client.exe
1800	Windows.WARP.JITService.exe

Loads dropped DLL 3 IoCs

pid	Process
1860	emmasBackdoor.exe
2504	emmasBackdoor.tmp
2504	emmasBackdoor.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Windows.WARP.JITService.exe
File opened for modification	C:\Windows\system32\ice	Windows.WARP.JITService.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\Client.exe	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-044R1.tmp	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-KT204.tmp	emmasBackdoor.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe\" \"%1\""	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\DefaultIcon	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes\.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe,0"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\ = "EmmasBackdoor File"	emmasBackdoor.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1624	schtasks.exe
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2648	powershell.exe
2504	emmasBackdoor.tmp
2504	emmasBackdoor.tmp

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	864	Client.exe
Token: SeDebugPrivilege	1800	Windows.WARP.JITService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2504	emmasBackdoor.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1800	Windows.WARP.JITService.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2504	1860	emmasBackdoor.exe	29
PID 1860 wrote to memory of 2504	1860	emmasBackdoor.exe	29
PID 1860 wrote to memory of 2504	1860	emmasBackdoor.exe	29
PID 1860 wrote to memory of 2504	1860	emmasBackdoor.exe	29
PID 1860 wrote to memory of 2504	1860	emmasBackdoor.exe	29
PID 1860 wrote to memory of 2504	1860	emmasBackdoor.exe	29
PID 1860 wrote to memory of 2504	1860	emmasBackdoor.exe	29
PID 2504 wrote to memory of 2648	2504	emmasBackdoor.tmp	30
PID 2504 wrote to memory of 2648	2504	emmasBackdoor.tmp	30
PID 2504 wrote to memory of 2648	2504	emmasBackdoor.tmp	30
PID 2504 wrote to memory of 2648	2504	emmasBackdoor.tmp	30
PID 2504 wrote to memory of 864	2504	emmasBackdoor.tmp	33
PID 2504 wrote to memory of 864	2504	emmasBackdoor.tmp	33
PID 2504 wrote to memory of 864	2504	emmasBackdoor.tmp	33
PID 2504 wrote to memory of 864	2504	emmasBackdoor.tmp	33
PID 864 wrote to memory of 1624	864	Client.exe	34
PID 864 wrote to memory of 1624	864	Client.exe	34
PID 864 wrote to memory of 1624	864	Client.exe	34
PID 864 wrote to memory of 1800	864	Client.exe	36
PID 864 wrote to memory of 1800	864	Client.exe	36
PID 864 wrote to memory of 1800	864	Client.exe	36
PID 1800 wrote to memory of 1440	1800	Windows.WARP.JITService.exe	37
PID 1800 wrote to memory of 1440	1800	Windows.WARP.JITService.exe	37
PID 1800 wrote to memory of 1440	1800	Windows.WARP.JITService.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe
"C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\is-5EMT8.tmp\emmasBackdoor.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5EMT8.tmp\emmasBackdoor.tmp" /SL5="$30150,1909968,965632,C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-H883F.tmp\disable_defender.ps1"
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Program Files (x86)\EmmasBackdoor\Client.exe
    "C:\Program Files (x86)\EmmasBackdoor\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1624
  - - C:\Windows\system32\ice\Windows.WARP.JITService.exe
      "C:\Windows\system32\ice\Windows.WARP.JITService.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-H883F.tmp\disable_defender.ps1

Filesize
544B

MD5
3568227fbb730d48fa31d13e87f9a370

SHA1
83ac8fbb2b9c35337f372977fe3323f63060c5ff

SHA256
a06e1c77a4ab2a13f90dc2f86bbb4cb662f2bd10b1f805b1b7745af4c2ad3698

SHA512
2b8863dbdc4c980eac867e600ca008261d046a99bf40cfc02a350ec45a04e3a7b958b21219ad0a26b339336f779ba167aa84c45dbe4d9d9ada004c4515ba6d17

Download Submit
\Program Files (x86)\EmmasBackdoor\Client.exe

Filesize
3.1MB

MD5
66ebe604ddf4d6ab60a183f515536528

SHA1
278782873ae0a5cac94add051edfc12e223be55c

SHA256
37e733731381c02941e4a8da30350cf968532d08012b6bb91e525241e8ee2c86

SHA512
756de51b5f6116640736f7dd37faf6172db79c8eaf8da17ba1e3d788d5c0179a01746f7d30044ca5c535c1b3d938bfde3e5d810b7fe50815030be8a5288c2bf9

Download Submit
\Users\Admin\AppData\Local\Temp\is-5EMT8.tmp\emmasBackdoor.tmp

Filesize
3.3MB

MD5
95c49a50069cf27284ac7b186df5aae0

SHA1
4120193848e7726aac277f9ea6e4b3670342ed03

SHA256
9f62b6f4c234ded050162b55a9c6de0c604578dee34462b96615e48169a485bb

SHA512
f6d3fd7454943aac838cd81e17c35787747185e0736823424453ffbf375da1e921dba0a5ce88a05f7a71e2ac367d47ee8fbabbd529f48997b99f1a3afa5370cd

Download Submit
memory/864-34-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/1800-43-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

Filesize
3.1MB

Download
memory/1860-2-0x0000000000101000-0x00000000001A9000-memory.dmp

Filesize
672KB

Download
memory/1860-0-0x0000000000100000-0x00000000001FA000-memory.dmp

Filesize
1000KB

Download
memory/1860-14-0x0000000000100000-0x00000000001FA000-memory.dmp

Filesize
1000KB

Download
memory/1860-37-0x0000000000100000-0x00000000001FA000-memory.dmp

Filesize
1000KB

Download
memory/2504-8-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2504-29-0x0000000000DB0000-0x0000000001109000-memory.dmp

Filesize
3.3MB

Download
memory/2504-15-0x0000000000DB0000-0x0000000001109000-memory.dmp

Filesize
3.3MB

Download
memory/2504-36-0x0000000000DB0000-0x0000000001109000-memory.dmp

Filesize
3.3MB

Download
memory/2504-16-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads