quasar | dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949

Analysis

max time kernel
92s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
Size

83.0MB
MD5

4117eceb35a8705eba8b0ed2148ad7d7
SHA1

1f0f47d0f8fc9f7d11467681473c563bf3624834
SHA256

dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949
SHA512

ad1fb197cf8fc7ebc536bd8787b655e8bd947e23ea64ad7a6da16238f5d4b4f8b3f0e30efc01ce0c0bc27f31dad1afdd97bb13aae3992a78e5214c7b761c4fe0
SSDEEP

393216:T4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2W:TKRVQxhu0P8Lq1LEvxOOx5Sk

Score

10^/10

quasar staking defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Staking

51.15.17.193:4782

Mutex

ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/344-39-0x000001C2F5840000-0x000001C2F5B64000-memory.dmp	family_quasar

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe

Executes dropped EXE 1 IoCs

pid	Process
344	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
332	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
332	powershell.exe
332	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	344	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1952	1720	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	84
PID 1720 wrote to memory of 1952	1720	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	84
PID 1952 wrote to memory of 4744	1952	cmd.exe	85
PID 1952 wrote to memory of 4744	1952	cmd.exe	85
PID 1952 wrote to memory of 332	1952	cmd.exe	86
PID 1952 wrote to memory of 332	1952	cmd.exe	86
PID 332 wrote to memory of 3188	332	powershell.exe	87
PID 332 wrote to memory of 3188	332	powershell.exe	87
PID 3188 wrote to memory of 1096	3188	csc.exe	88
PID 3188 wrote to memory of 1096	3188	csc.exe	88
PID 1720 wrote to memory of 4480	1720	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	89
PID 1720 wrote to memory of 4480	1720	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	89
PID 4480 wrote to memory of 344	4480	cmd.exe	90
PID 4480 wrote to memory of 344	4480	cmd.exe	90
PID 1720 wrote to memory of 1456	1720	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	91
PID 1720 wrote to memory of 1456	1720	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	91

C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
"C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe"
1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
    3⤵
    PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tn0udj1k\tn0udj1k.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BF2.tmp" "c:\Users\Admin\AppData\Local\Temp\tn0udj1k\CSC7F916A288F1478BBD4BC0BE6177F9B6.TMP"
        5⤵
        
        PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\BTCTools1.exe"
  2⤵
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BTCTools1.exe

Filesize
9B

MD5
9d1ead73e678fa2f51a70a933b0bf017

SHA1
d205cbd6783332a212c5ae92d73c77178c2d2f28

SHA256
0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5

SHA512
935b3d516e996f6d25948ba8a54c1b7f70f7f0e3f517e36481fdf0196c2c5cfc2841f86e891f3df9517746b7fb605db47cdded1b8ff78d9482ddaa621db43a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BF2.tmp

Filesize
1KB

MD5
a610a37b95f78fec8ff26be9c454811f

SHA1
14dc55414f94af7928b63d2eba246520ccf25dd8

SHA256
929889a85e4c6a0e2233d350454dfdcb8a58a0fb647b70122acd292b9feaf5af

SHA512
d741a2f2c2b9e93735e4390856cff278ad3e28550cc0202fbde25eedb07eed0484a72fff34ba340c1ab4ae4c0c7929a8f95a840a6a1f6bb5b2a2273d74d9661f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
4.8MB

MD5
9a7cea63db91937ec2fa0c4a40dcde82

SHA1
dbc121740eb6aa3221beadd3ae69df1ce095c441

SHA256
687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728

SHA512
36e6a806125b1d80e97482f0b03a7481a136f01d2808169f171d89c54d2faf6f5b6913f4751dc737d5dc672f63622e379fd87f306cec2e076d8a5e73d33059dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45zfyx2v.wgb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\tn0udj1k\tn0udj1k.dll

Filesize
3KB

MD5
c130cc6eeb7ec91a33e49cefe208d6d8

SHA1
80e0129fcc7a9f53d6b11cef5010087ff1590b1a

SHA256
93ee84a01bf3f32f8005c284ac6f8729e340be05f03e1a44ef75a8eec24e660b

SHA512
eb164db60a3f66fd33f9417e99014887715402ad8a6d4da01b88d565ddd333b9f1306e8688d9079344a1026c72a20c15b6b2f20b40a8aae4e64330ccd2433e54

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tn0udj1k\CSC7F916A288F1478BBD4BC0BE6177F9B6.TMP

Filesize
652B

MD5
2b18a2d90c72e899e2911c7ac5aeaed7

SHA1
d6da1703312de7cee7b58d7c063cd6320cda67d9

SHA256
1777b2311276c67a123c02693c9d0fb666ecb3eac9334b28d5d3975985124726

SHA512
8ba9915a1ce20170289801a5409ca0f89d6e31d7fd4cbb54f926a9fbd4f3384e14a85e0788aafbb8895409323695a518822bbcfb40b48d6eec3fa68b1140f5a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tn0udj1k\tn0udj1k.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tn0udj1k\tn0udj1k.cmdline

Filesize
369B

MD5
5115e8ab94db127d3ef5033cd450e1f4

SHA1
d119a92838b841a898bac9b49905641a3d53774f

SHA256
59bd584255e452d2b1647f018b9fd9c35240fb3e6c7c7c1a50f74f62ca4c4f90

SHA512
4bf06ca4135818875465e7cebf30731c291e837d127a0bae62f5d44a7487c42c6475fe259feee53f51c3e1b9545453326787fb35e4735a4d4044d52c703331d2

Download Submit
memory/332-13-0x000001D243F60000-0x000001D243FA4000-memory.dmp

Filesize
272KB

Download
memory/332-27-0x000001D243F30000-0x000001D243F38000-memory.dmp

Filesize
32KB

Download
memory/332-14-0x000001D244380000-0x000001D2443F6000-memory.dmp

Filesize
472KB

Download
memory/332-3-0x000001D243DC0000-0x000001D243DE2000-memory.dmp

Filesize
136KB

Download
memory/344-39-0x000001C2F5840000-0x000001C2F5B64000-memory.dmp

Filesize
3.1MB

Download
memory/344-40-0x000001C2DCBC0000-0x000001C2DCC10000-memory.dmp

Filesize
320KB

Download
memory/344-41-0x000001C2F79F0000-0x000001C2F7AA2000-memory.dmp

Filesize
712KB

Download
memory/344-44-0x000001C2DCC10000-0x000001C2DCC22000-memory.dmp

Filesize
72KB

Download
memory/344-45-0x000001C2F5CD0000-0x000001C2F5D0C000-memory.dmp

Filesize
240KB

Download