quasar | 9fda62581f43e3936e371ced328374f97a7ede2b9fff3748bf618977b1da495a

Resubmissions

16-12-2024 06:21

241216-g4qyfsxre1 10

16-12-2024 06:08

241216-gv76daxnct 10

Analysis

max time kernel
224s
max time network
229s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-12-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SerialChecker.exe
Size

3.1MB
MD5

70fa564a25bdd50a78764228f591f9a0
SHA1

2d025703005c25bc35b4755321844f3adc41c974
SHA256

9fda62581f43e3936e371ced328374f97a7ede2b9fff3748bf618977b1da495a
SHA512

ce33af378f45752148de566ec1281a4e212b5af8e9d9d942f833f8d35a5c5d84f8657f17dc053d4bd56ae6ea556122de8039d0cab8c37d6eb5af9f89041eaff3
SSDEEP

49152:Ovkt62XlaSFNWPjljiFa2RoUYIbnp9nr1oGdI2THHB72eh2NT:Ov462XlaSFNWPjljiFXRoUYI7p9nZ

Score

10^/10

quasar fn spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

192.168.1.217:4782

Mutex

5c3e1592-9532-4a55-9a67-38ea1d723d1f

Attributes

encryption_key
53C48FEB4994411E81FCC7855A2076C90E2AC3C1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
FN

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1484-1-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar
behavioral1/files/0x0028000000046185-3.dat	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1368	Client.exe
5508	Client.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5628	schtasks.exe
5684	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3360	OpenWith.exe
4260	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	SerialChecker.exe
Token: SeDebugPrivilege	1368	Client.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe
Token: 33	4260	mmc.exe
Token: SeIncBasePriorityPrivilege	4260	mmc.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1368	Client.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
3360	OpenWith.exe
4260	mmc.exe
4260	mmc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 5628	1484	SerialChecker.exe	82
PID 1484 wrote to memory of 5628	1484	SerialChecker.exe	82
PID 1484 wrote to memory of 1368	1484	SerialChecker.exe	87
PID 1484 wrote to memory of 1368	1484	SerialChecker.exe	87
PID 1368 wrote to memory of 5684	1368	Client.exe	89
PID 1368 wrote to memory of 5684	1368	Client.exe	89
PID 3360 wrote to memory of 4708	3360	OpenWith.exe	97
PID 3360 wrote to memory of 4708	3360	OpenWith.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SerialChecker.exe
"C:\Users\Admin\AppData\Local\Temp\SerialChecker.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FN\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5628
- C:\Users\Admin\AppData\Roaming\FN\Client.exe
  "C:\Users\Admin\AppData\Roaming\FN\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FN\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Logs\2024-12-16
  2⤵
  PID:4708

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Users\Admin\AppData\Roaming\FN\Client.exe
"C:\Users\Admin\AppData\Roaming\FN\Client.exe"
1⤵
- Executes dropped EXE
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FN\Client.exe

Filesize
3.1MB

MD5
70fa564a25bdd50a78764228f591f9a0

SHA1
2d025703005c25bc35b4755321844f3adc41c974

SHA256
9fda62581f43e3936e371ced328374f97a7ede2b9fff3748bf618977b1da495a

SHA512
ce33af378f45752148de566ec1281a4e212b5af8e9d9d942f833f8d35a5c5d84f8657f17dc053d4bd56ae6ea556122de8039d0cab8c37d6eb5af9f89041eaff3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\2024-12-16

Filesize
496B

MD5
d125843d84a2fa51f3296930931d0ce6

SHA1
3c1fa7d92de37d9e510fdd7d78e690279e502e0b

SHA256
b03f645a92e5ac996ee184ec115b6dce4a8c5ef3b0951e374443a35202cd720e

SHA512
612130e5c1eb5b24de4fbd45d2bbb02f055efca9b003a7b9b1c9b77210c5aa8920e11ea6bab02b6a804eafd67784d4e4127806d40dabbf17d01958784fad5e44

Download Submit
memory/1368-7-0x00007FFD97B40000-0x00007FFD98602000-memory.dmp

Filesize
10.8MB

Download
memory/1368-6-0x00007FFD97B40000-0x00007FFD98602000-memory.dmp

Filesize
10.8MB

Download
memory/1368-8-0x000000001CE70000-0x000000001CEC0000-memory.dmp

Filesize
320KB

Download
memory/1368-9-0x000000001CF80000-0x000000001D032000-memory.dmp

Filesize
712KB

Download
memory/1368-10-0x000000001D670000-0x000000001DB98000-memory.dmp

Filesize
5.2MB

Download
memory/1368-11-0x00007FFD97B40000-0x00007FFD98602000-memory.dmp

Filesize
10.8MB

Download
memory/1368-12-0x00007FFD97B40000-0x00007FFD98602000-memory.dmp

Filesize
10.8MB

Download
memory/1484-2-0x00007FFD97B40000-0x00007FFD98602000-memory.dmp

Filesize
10.8MB

Download
memory/1484-5-0x00007FFD97B40000-0x00007FFD98602000-memory.dmp

Filesize
10.8MB

Download
memory/1484-0-0x00007FFD97B43000-0x00007FFD97B45000-memory.dmp

Filesize
8KB

Download
memory/1484-1-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads