quasar | 527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35

Analysis

max time kernel
44s
max time network
36s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-12-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

cee9f55f2ed2ad11bf3acb650277237a
SHA1

3515900f7d4ba68720cb506200f2dcff401a9a6e
SHA256

527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35
SHA512

da46b87edbf315b88f069d2670c440fb9ea76a1bde9742855fcf80c7bbad5ea4d895c90d97d62a57782cd2572f3db7c90667aabe34e37c6bf543da6ea323d906
SSDEEP

49152:/vJuf2NUaNmwzPWlvdaKM7ZxTwqky3EfsKk/WPIoGd0THHB72eh2NT:/vkf2NUaNmwzPWlvdaB7ZxTwqkyAw

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

quasqy10-51732.portmap.host:4782

193.161.193.99:4782

Mutex

7d600197-9219-48e3-b7cb-1cd264aa77fa

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1896-1-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/files/0x002900000004613c-3.dat	family_quasar

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
1108	svchost.exe
4964	svchost.exe
2228	svchost.exe
1168	svchost.exe
4764	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4372	PING.EXE
3944	PING.EXE
2368	PING.EXE
3764	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4372	PING.EXE
3944	PING.EXE
2368	PING.EXE
3764	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
116	schtasks.exe
3124	schtasks.exe
4240	schtasks.exe
3696	schtasks.exe
1560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	4964	svchost.exe
Token: SeDebugPrivilege	2228	svchost.exe
Token: SeDebugPrivilege	1168	svchost.exe
Token: SeDebugPrivilege	4764	svchost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 116	1896	FlashingSoftwarePRO.exe	83
PID 1896 wrote to memory of 116	1896	FlashingSoftwarePRO.exe	83
PID 1896 wrote to memory of 1108	1896	FlashingSoftwarePRO.exe	85
PID 1896 wrote to memory of 1108	1896	FlashingSoftwarePRO.exe	85
PID 1108 wrote to memory of 3124	1108	svchost.exe	86
PID 1108 wrote to memory of 3124	1108	svchost.exe	86
PID 1108 wrote to memory of 348	1108	svchost.exe	88
PID 1108 wrote to memory of 348	1108	svchost.exe	88
PID 348 wrote to memory of 5024	348	cmd.exe	90
PID 348 wrote to memory of 5024	348	cmd.exe	90
PID 348 wrote to memory of 4372	348	cmd.exe	91
PID 348 wrote to memory of 4372	348	cmd.exe	91
PID 348 wrote to memory of 4964	348	cmd.exe	92
PID 348 wrote to memory of 4964	348	cmd.exe	92
PID 4964 wrote to memory of 4240	4964	svchost.exe	93
PID 4964 wrote to memory of 4240	4964	svchost.exe	93
PID 4964 wrote to memory of 1384	4964	svchost.exe	95
PID 4964 wrote to memory of 1384	4964	svchost.exe	95
PID 1384 wrote to memory of 1984	1384	cmd.exe	97
PID 1384 wrote to memory of 1984	1384	cmd.exe	97
PID 1384 wrote to memory of 3944	1384	cmd.exe	98
PID 1384 wrote to memory of 3944	1384	cmd.exe	98
PID 1384 wrote to memory of 2228	1384	cmd.exe	99
PID 1384 wrote to memory of 2228	1384	cmd.exe	99
PID 2228 wrote to memory of 3696	2228	svchost.exe	100
PID 2228 wrote to memory of 3696	2228	svchost.exe	100
PID 2228 wrote to memory of 2608	2228	svchost.exe	102
PID 2228 wrote to memory of 2608	2228	svchost.exe	102
PID 2608 wrote to memory of 1756	2608	cmd.exe	104
PID 2608 wrote to memory of 1756	2608	cmd.exe	104
PID 2608 wrote to memory of 2368	2608	cmd.exe	105
PID 2608 wrote to memory of 2368	2608	cmd.exe	105
PID 2608 wrote to memory of 1168	2608	cmd.exe	108
PID 2608 wrote to memory of 1168	2608	cmd.exe	108
PID 1168 wrote to memory of 1560	1168	svchost.exe	109
PID 1168 wrote to memory of 1560	1168	svchost.exe	109
PID 1168 wrote to memory of 2424	1168	svchost.exe	111
PID 1168 wrote to memory of 2424	1168	svchost.exe	111
PID 2424 wrote to memory of 2372	2424	cmd.exe	113
PID 2424 wrote to memory of 2372	2424	cmd.exe	113
PID 2424 wrote to memory of 3764	2424	cmd.exe	114
PID 2424 wrote to memory of 3764	2424	cmd.exe	114
PID 2424 wrote to memory of 4764	2424	cmd.exe	115
PID 2424 wrote to memory of 4764	2424	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:116
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GVH3vT7w9udy.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5024
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4372
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysRgjavFMkDZ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1984
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3944
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9UZmzudqQ1pp.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jzciPnw2xAs7.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3764
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9UZmzudqQ1pp.bat

Filesize
199B

MD5
dce0c64141839a6fa827b1c5f6c60fae

SHA1
d976e1a2bc250270b6b19a00dc18f049b2bd6e2d

SHA256
9df2c8d24d2704ea43bf1ecd826425d05e604c31284610bfa8f01abe8a510641

SHA512
44a0164ee42acdc4d1f9901dc7f77ea0d914cb8d121ca7c1c5f5f7e5edef0c69783c1df7ac78f7278740f6a7025a50dbd6effa7f6b3b138a0fbb3710af53ba63

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVH3vT7w9udy.bat

Filesize
199B

MD5
516a7961bf945863417fa7b8e336bf87

SHA1
79b8e1739855db18a0745373a0f6e3b572c3525f

SHA256
3f464bfdf8597d789e1c4b425b1595b06dd5bff3729c7e408c7004ad9d363c83

SHA512
21082345f7300d4440ed1b459f84fe1907b6326feb279cd52eb149e81a66cf1acf8fce9fcf0734ac1008eac403e82322de6507b1b970c90dd1062060a8ef56d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzciPnw2xAs7.bat

Filesize
199B

MD5
4d1d296e0a3a6d6940e6ed536bfababe

SHA1
b5f0098f5694a8fe59e428332324ee2c7ec1ed60

SHA256
01c6bfe3850a5a2bffa04b3892dc5054a13e303147131e0615b8edebc982b019

SHA512
e30e5e5c8690679730a4b26d8e235eeb2551d4ba6883c5fadf1634bede761eea5170fe271c414fc7fdf2670e385a2cb15153c3116e88d0eb77b3a19c9b886761

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysRgjavFMkDZ.bat

Filesize
199B

MD5
cc5b850ab7d5865a679d8a1d7751167d

SHA1
4884b1f9a415871100638c1a8b88f4271a841373

SHA256
3ba5829350acb052ea4bccd8333daecb3d2cd6e3d45f7a8206adc74a9fda8894

SHA512
12b697b82b66ab9d23eff417df6713ba892ec32d5732314dce3727ff783603bfb8e03a4633aab59e42c93bf35a19902af994c9447f5957aa4b4a5c8907542043

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.1MB

MD5
cee9f55f2ed2ad11bf3acb650277237a

SHA1
3515900f7d4ba68720cb506200f2dcff401a9a6e

SHA256
527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35

SHA512
da46b87edbf315b88f069d2670c440fb9ea76a1bde9742855fcf80c7bbad5ea4d895c90d97d62a57782cd2572f3db7c90667aabe34e37c6bf543da6ea323d906

Download Submit
memory/1108-7-0x000000001E070000-0x000000001E0C0000-memory.dmp

Filesize
320KB

Download
memory/1108-8-0x000000001E180000-0x000000001E232000-memory.dmp

Filesize
712KB

Download
memory/1108-16-0x00007FFE2C390000-0x00007FFE2CE52000-memory.dmp

Filesize
10.8MB

Download
memory/1108-6-0x00007FFE2C390000-0x00007FFE2CE52000-memory.dmp

Filesize
10.8MB

Download
memory/1896-0-0x00007FFE2C393000-0x00007FFE2C395000-memory.dmp

Filesize
8KB

Download
memory/1896-5-0x00007FFE2C390000-0x00007FFE2CE52000-memory.dmp

Filesize
10.8MB

Download
memory/1896-2-0x00007FFE2C390000-0x00007FFE2CE52000-memory.dmp

Filesize
10.8MB

Download
memory/1896-1-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads