quasar | fab76f9a2d47107dffa334b26f109cbe8a4f06ee8b936a622dc1f571e8412c23

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app1.exe
Size

3.1MB
MD5

829605130c3b20269b5c56ca026241ab
SHA1

61f20276c524f8852911b027b95cecff5075e650
SHA256

fab76f9a2d47107dffa334b26f109cbe8a4f06ee8b936a622dc1f571e8412c23
SHA512

f097b0d4c461ae9fddb29cb42722041d78ef6a7bc01754fca72d321e8dd3359b41438be8639fa00c21f673ff0380ea9316b99dd648f47a4c6bdd6dc74fbc293b
SSDEEP

49152:KvWI22SsaNYfdPBldt698dBcjHaAaax7martAoGd8rtolTHHB72eh2NT:Kv722SsaNYfdPBldt6+dBcjHBp7ys

Score

10^/10

quasar kdotcrypt discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

KDOTCrypt

fedx.ddns.net:7000

Mutex

05ed390b-a98b-426c-bddb-fc4eab59ee87

Attributes

encryption_key
92470F4731518ABFA77DC89068544FB7E7B7C459
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1016-1-0x00000000006F0000-0x0000000000A14000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	app1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3320	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3320	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	app1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1020	1016	app1.exe	96
PID 1016 wrote to memory of 1020	1016	app1.exe	96
PID 1020 wrote to memory of 3088	1020	cmd.exe	98
PID 1020 wrote to memory of 3088	1020	cmd.exe	98
PID 1020 wrote to memory of 3320	1020	cmd.exe	99
PID 1020 wrote to memory of 3320	1020	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\app1.exe
"C:\Users\Admin\AppData\Local\Temp\app1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOLZynnCTxKj.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3088
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jOLZynnCTxKj.bat

Filesize
205B

MD5
875df27c2c2da321951506d41cf56ef9

SHA1
89034866259841a9860219eed5092f38c96af95a

SHA256
e2569fe372f4cb417b8e939ba8595adee592c7b5ac3a88abdec8600f66661343

SHA512
8825f743f2821071c4cb116be15d2ac6a162df5bb7581ac3b2a55e695307ae64efacd6a526ea1e0482c14f105d280a46b580eba701e40a9bd05e970651c639c5

Download Submit
memory/1016-8-0x000000001BA90000-0x000000001BACC000-memory.dmp

Filesize
240KB

Download
memory/1016-2-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/1016-3-0x0000000002CD0000-0x0000000002D20000-memory.dmp

Filesize
320KB

Download
memory/1016-4-0x000000001BAF0000-0x000000001BBA2000-memory.dmp

Filesize
712KB

Download
memory/1016-7-0x000000001BA30000-0x000000001BA42000-memory.dmp

Filesize
72KB

Download
memory/1016-0-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

Filesize
8KB

Download
memory/1016-9-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

Filesize
8KB

Download
memory/1016-10-0x000000001C1F0000-0x000000001C2F2000-memory.dmp

Filesize
1.0MB

Download
memory/1016-11-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/1016-16-0x000000001C1F0000-0x000000001C2F2000-memory.dmp

Filesize
1.0MB

Download
memory/1016-17-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/1016-1-0x00000000006F0000-0x0000000000A14000-memory.dmp

Filesize
3.1MB

Download