quasar | 4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda

General

Target

4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe
Size

3.1MB
MD5

0e544c7dccc5ac91a382ba67577d7cd6
SHA1

44b0868b7a9b0bf5c20ebeae736ddaeb2385fd92
SHA256

4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda
SHA512

c8544b538f74cfe5b397e958859b6145630db440c6b3700bb3751aa29ed7ac88ab34b9e9896ef70d25275deed05a937b4112932b879db7e93fdd0e2a5929e309
SSDEEP

49152:bv4uf2NUaNmwzPWlvdaKM7ZxTw678gbR4LoGdgaTHHB72eh2NT:bv3f2NUaNmwzPWlvdaB7ZxTw678n

Score

10^/10

quasar stinky spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Stinky

C2

ef3243fsert34.ddns.net:47820

anthonyngati.ddns.net:3872

Mutex

60cba0a9-0a63-450c-9567-57ef0e3c2e24

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
sru.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
sru

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2716-1-0x0000000000890000-0x0000000000BB4000-memory.dmp	family_quasar
behavioral1/files/0x000700000001956c-6.dat	family_quasar
behavioral1/memory/2836-9-0x0000000000990000-0x0000000000CB4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2836	sru.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File created	C:\Windows\system32\sru\sru.exe	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe
File opened for modification	C:\Windows\system32\sru	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2828	schtasks.exe
2900	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe
Token: SeDebugPrivilege	2836	sru.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2828	2716	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe	30
PID 2716 wrote to memory of 2828	2716	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe	30
PID 2716 wrote to memory of 2828	2716	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe	30
PID 2716 wrote to memory of 2836	2716	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe	32
PID 2716 wrote to memory of 2836	2716	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe	32
PID 2716 wrote to memory of 2836	2716	4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe	32
PID 2836 wrote to memory of 2900	2836	sru.exe	33
PID 2836 wrote to memory of 2900	2836	sru.exe	33
PID 2836 wrote to memory of 2900	2836	sru.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe
"C:\Users\Admin\AppData\Local\Temp\4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2828
- C:\Windows\system32\sru\sru.exe
  "C:\Windows\system32\sru\sru.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\sru\sru.exe

Filesize
3.1MB

MD5
0e544c7dccc5ac91a382ba67577d7cd6

SHA1
44b0868b7a9b0bf5c20ebeae736ddaeb2385fd92

SHA256
4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda

SHA512
c8544b538f74cfe5b397e958859b6145630db440c6b3700bb3751aa29ed7ac88ab34b9e9896ef70d25275deed05a937b4112932b879db7e93fdd0e2a5929e309

Download Submit
memory/2716-0-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x0000000000890000-0x0000000000BB4000-memory.dmp

Filesize
3.1MB

Download
memory/2716-2-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-10-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-8-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-9-0x0000000000990000-0x0000000000CB4000-memory.dmp

Filesize
3.1MB

Download
memory/2836-11-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-12-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads