quasar | 7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053

General

Target

7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe
Size

2.8MB
MD5

4a1c798e636efe865b30ec8576fd6200
SHA1

ee37036fd610ebc79cb119b0094143fbb521989b
SHA256

7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053
SHA512

60da6dfcfc431855d3316f263c7d0fec8ff363fe55f1847c7ab4ec5095a7f793653849cb2253b1dbb6de8d7d9bb7829a040ebe2e77fb72c2a102e677df63e4a3
SSDEEP

49152:B/mf57XLMVRp8NsPUtugv4p+hfXq9C4RJjMuRGYd34rgReGKw7CKQ3:CMVoscup+hSfRJwtWmPnw7CF

Score

10^/10

quasar plmso discovery spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Plmso

C2

110.42.3.134:4782

Mutex

41ace1c3-9f4e-4d35-93fb-096ede244c3e

Attributes

encryption_key
980DB384AAAF5B8591D5B450BFA39547F61611DC
install_name
System.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000192a9-11.dat	family_quasar
behavioral1/memory/2524-16-0x00000000011F0000-0x0000000001514000-memory.dmp	family_quasar
behavioral1/memory/2708-24-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2096	MHClient-PLMHO.exe
2524	Client-built.exe
2708	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe
2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\System.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\System.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\System.exe	System.exe
File opened for modification	C:\Windows\system32\SubDir	System.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2388-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2388-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2072	schtasks.exe
2896	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	Client-built.exe
Token: SeDebugPrivilege	2708	System.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2096	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	30
PID 2388 wrote to memory of 2096	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	30
PID 2388 wrote to memory of 2096	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	30
PID 2388 wrote to memory of 2096	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	30
PID 2388 wrote to memory of 2524	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	31
PID 2388 wrote to memory of 2524	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	31
PID 2388 wrote to memory of 2524	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	31
PID 2388 wrote to memory of 2524	2388	7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe	31
PID 2524 wrote to memory of 2072	2524	Client-built.exe	32
PID 2524 wrote to memory of 2072	2524	Client-built.exe	32
PID 2524 wrote to memory of 2072	2524	Client-built.exe	32
PID 2524 wrote to memory of 2708	2524	Client-built.exe	34
PID 2524 wrote to memory of 2708	2524	Client-built.exe	34
PID 2524 wrote to memory of 2708	2524	Client-built.exe	34
PID 2708 wrote to memory of 2896	2708	System.exe	35
PID 2708 wrote to memory of 2896	2708	System.exe	35
PID 2708 wrote to memory of 2896	2708	System.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe
"C:\Users\Admin\AppData\Local\Temp\7081010e6695eb675cb7a4fe3c27eeeb82cd9f550d1f016eb0e130f0725cb053N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMHO.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMHO.exe"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\SubDir\System.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2072
- - C:\Windows\system32\SubDir\System.exe
    "C:\Windows\system32\SubDir\System.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Windows\system32\SubDir\System.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe

Filesize
3.1MB

MD5
3f91e95692f667285e1a1213e61fe2a0

SHA1
ad5335b29b844f5d125f563693e2f029df4eba3a

SHA256
12129040a48af189e394c31a0492a90669596bb7194a0753de7cdac9973fb5de

SHA512
ebc9ae6d1e8ca6f3b56622c64f266a4b0e2c9154e427a3d1050f5512f7cb9afc4daad0681f0585b6db6fe43106e93f56a6dfd468055b98ff5186c976fd9ae363

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMHO.exe

Filesize
5.8MB

MD5
d3b958b776d2269fed0d06db091da5f6

SHA1
ede319c947a83c7b59b5d0a00d29bb311b6aadbd

SHA256
f7685db34fa42c7e5754da2e248125db525595f50c702186e708d219ccaac5ef

SHA512
e7abd6202f2d6db2a95b28ead739ee11198898f93f93c2fbaeed352a2a8a1c43fc30fdda9f22d7c3890cb6adc4bdfc9c24526ebdfc7042eb8b6b6ba941e6273d

Download Submit
memory/2388-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2388-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2524-15-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

Filesize
4KB

Download
memory/2524-16-0x00000000011F0000-0x0000000001514000-memory.dmp

Filesize
3.1MB

Download
memory/2524-17-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-23-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2708-24-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads