quasar | 2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
Size

85.2MB
MD5

207d3610cb4305546ae3730c433cec24
SHA1

dbaa88cff0954154133da02cfe8945660fed53f7
SHA256

2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0
SHA512

0f803879d9feba1053b9a4306d62a9c9175cc0e96bf90dfa10cae8f909925a735e35d46d8bef44bd8a3a657dd27634d65cee3dcdc6400540d9819a09f394edf5
SSDEEP

393216:54TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2o:5KRVQxhu0P8Lq1LEvxOOx5Sba

Score

10^/10

quasar neuro defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NEURO

51.15.17.193:4782

Mutex

1f6c9ecc-c030-43a4-bbf2-21326400cbb5

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1620-36-0x000002A37D150000-0x000002A37D474000-memory.dmp	family_quasar

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3240	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3240	powershell.exe
3240	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	1620	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4520	3008	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe	84
PID 3008 wrote to memory of 4520	3008	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe	84
PID 4520 wrote to memory of 380	4520	cmd.exe	85
PID 4520 wrote to memory of 380	4520	cmd.exe	85
PID 4520 wrote to memory of 3240	4520	cmd.exe	86
PID 4520 wrote to memory of 3240	4520	cmd.exe	86
PID 3240 wrote to memory of 1892	3240	powershell.exe	87
PID 3240 wrote to memory of 1892	3240	powershell.exe	87
PID 1892 wrote to memory of 1608	1892	csc.exe	88
PID 1892 wrote to memory of 1608	1892	csc.exe	88
PID 3008 wrote to memory of 4656	3008	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe	90
PID 3008 wrote to memory of 4656	3008	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe	90
PID 4656 wrote to memory of 1620	4656	cmd.exe	91
PID 4656 wrote to memory of 1620	4656	cmd.exe	91
PID 3008 wrote to memory of 2652	3008	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe	96
PID 3008 wrote to memory of 2652	3008	2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe	96

C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
"C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe"
1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
    3⤵
    PID:380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrt2j2dk\xrt2j2dk.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp" "c:\Users\Admin\AppData\Local\Temp\xrt2j2dk\CSCDA12369908B4ACA93601A5FDF1B8DE8.TMP"
        5⤵
        
        PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\Neurocoin.exe"
  2⤵
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Neurocoin.exe

Filesize
47B

MD5
447e47ca1fe8ea0ee113c82580a90752

SHA1
b353067d653aa17150deb0e5943f517948070b21

SHA256
5684d1afb88220efeba965a9e28eac2f830e22a3d57348e66e4a5d4e799664f5

SHA512
4b52747210cada19b4d1964c7d6d6d7697570497e1084b153835ae8a67b5e284178fc807ddbf32cfffac564ccf69a21d7a80b407fc55799d23c71d1fe68c3b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp

Filesize
1KB

MD5
f21393e5a6a407d1e35bcaa70ef5d104

SHA1
a0b437047bea7c12086b7cbeaa23e43f7869dcef

SHA256
d520c876a073862a0122951e131d673eac64accef9f6473ec75f7704e931dbbc

SHA512
eb1be6b044898804f491c1ac5ec4ec65b83665a5b05886c4ca5b8ad1999c86bcdf99bae6656d4269db6e08d220fd567fc83d322a64e4b4ed5c6f4b958bf07506

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
5.6MB

MD5
c549fe02bb65c0c2977c741c7ed4fd80

SHA1
8475e459ba2fe572c53b08c061a5b24e074832a1

SHA256
d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb

SHA512
b51e81d073dc1bbdeea1f0dcf66901f2996faa5f30657e354c0c9271ad0f58ce0cc20744f8287afd81904d10148032038f2bad33e45d49685f7dce73e0a52b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnzr5a4u.biu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrt2j2dk\xrt2j2dk.dll

Filesize
3KB

MD5
c244bc82f16ea2c9c56cf60276072991

SHA1
6d7a820316ec3f31abe0a5a0a6d1c6221514f2b7

SHA256
b7e53832071a121d748ebdcf161ab265a8bc50ba6d6e1ce34bf17022d597ec63

SHA512
f68075a9e00d3f3376f2c6eb8f861934937207ea8a5e2152a41e66dae103eb36eb666ef6d0ed6327a802860a5683141062314a7988dbc62a3bd69824c150da8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrt2j2dk\CSCDA12369908B4ACA93601A5FDF1B8DE8.TMP

Filesize
652B

MD5
2bc9b3f2cb5bf9f3dd02f7ff592fbb1c

SHA1
a87ca223f23e4591c87f9061fa09434b0d838338

SHA256
99d1bca21c4fb068d20fa60cfb59d3005d5eaacb10ff1674d581a8bc987359c8

SHA512
0a3f96d3f4d7692b7eab4d57c9d0f1241f1be98702eeef195bb0c482340ed56482537b7f6913ca08013d8574b37e771abc26a75dd6b500b7026ef3cacc9f2a76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrt2j2dk\xrt2j2dk.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrt2j2dk\xrt2j2dk.cmdline

Filesize
369B

MD5
d12d76af6d1a0e422dbc838047162e53

SHA1
f0bb90c690044521e5c2cdf55ac635580ce64d8c

SHA256
b7306b475c6717e4528ca4bd7d4fccdc5f78f3aa967bbfd64230ab446bcce3e3

SHA512
08d7ecb453b0ddb93bcbc10e525205a7658cd4eb26c135e7eac75285478dd4ef73a03c9e0e7c48bb5bb40ea84bff03e81f9f309da6588709d887c582ab590922

Download Submit
memory/1620-36-0x000002A37D150000-0x000002A37D474000-memory.dmp

Filesize
3.1MB

Download
memory/1620-37-0x000002A37D500000-0x000002A37D550000-memory.dmp

Filesize
320KB

Download
memory/1620-38-0x000002A37DAA0000-0x000002A37DB52000-memory.dmp

Filesize
712KB

Download
memory/1620-41-0x000002A37D560000-0x000002A37D572000-memory.dmp

Filesize
72KB

Download
memory/1620-42-0x000002A37D5C0000-0x000002A37D5FC000-memory.dmp

Filesize
240KB

Download
memory/3240-27-0x000001E23BA50000-0x000001E23BA58000-memory.dmp

Filesize
32KB

Download
memory/3240-14-0x000001E23E150000-0x000001E23E1C6000-memory.dmp

Filesize
472KB

Download
memory/3240-13-0x000001E23E080000-0x000001E23E0C4000-memory.dmp

Filesize
272KB

Download
memory/3240-8-0x000001E23B9E0000-0x000001E23BA02000-memory.dmp

Filesize
136KB

Download