quasar | 0c904ce53aeca5d0e078e752c24dc3bed47b74d22f9158b6b4fb56d55c178ae0

Analysis

max time kernel
94s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

viltracoin-qt.exe
Size

82.5MB
MD5

959a666390a5dcad9994b132fd286ef8
SHA1

a2d17928f1e7178c25fe0dd07bdb3f2bd9f6c4ca
SHA256

4feb1b58d3941d021d0525cf544ea5df9fc3e3ed3d32a621801072ad3a5a4da8
SHA512

fcbe47048a4448c51b042832c8ff2766798682fb7cf4ce68e2b1523d6f14f39b1a43c7f3eec28005314c22e86060d476552606900e382c5c425abc729877b946
SSDEEP

393216:34TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2X:3KRVQxhu0P8Lq1LEvxOOx5Sh

Score

10^/10

quasar viltrac defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Viltrac

51.15.17.193:4782

Mutex

d099b659-69af-41e2-9d7f-a5e64da5be06

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3428-39-0x0000024D3A560000-0x0000024D3A884000-memory.dmp	family_quasar

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	viltracoin-qt.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url	viltracoin-qt.exe

Executes dropped EXE 1 IoCs

pid	Process
3428	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5112	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5112	powershell.exe
5112	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	3428	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1060	5032	viltracoin-qt.exe	82
PID 5032 wrote to memory of 1060	5032	viltracoin-qt.exe	82
PID 1060 wrote to memory of 3916	1060	cmd.exe	83
PID 1060 wrote to memory of 3916	1060	cmd.exe	83
PID 1060 wrote to memory of 5112	1060	cmd.exe	84
PID 1060 wrote to memory of 5112	1060	cmd.exe	84
PID 5112 wrote to memory of 1684	5112	powershell.exe	85
PID 5112 wrote to memory of 1684	5112	powershell.exe	85
PID 1684 wrote to memory of 4588	1684	csc.exe	86
PID 1684 wrote to memory of 4588	1684	csc.exe	86
PID 5032 wrote to memory of 3388	5032	viltracoin-qt.exe	87
PID 5032 wrote to memory of 3388	5032	viltracoin-qt.exe	87
PID 3388 wrote to memory of 3428	3388	cmd.exe	88
PID 3388 wrote to memory of 3428	3388	cmd.exe	88
PID 5032 wrote to memory of 4744	5032	viltracoin-qt.exe	89
PID 5032 wrote to memory of 4744	5032	viltracoin-qt.exe	89

C:\Users\Admin\AppData\Local\Temp\viltracoin-qt.exe
"C:\Users\Admin\AppData\Local\Temp\viltracoin-qt.exe"
1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
    3⤵
    PID:3916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bnrljdjt\bnrljdjt.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC544.tmp" "c:\Users\Admin\AppData\Local\Temp\bnrljdjt\CSC349352A4A16943218179666087D2842C.TMP"
        5⤵
        
        PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\viltracoin-qt1.exe"
  2⤵
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC544.tmp

Filesize
1KB

MD5
8b71b04e033a8331fd24a7419d8a4867

SHA1
daddbb35e6d85098448e37d9e1a8a174846fc661

SHA256
8f8157b0ac35fd54749f8dbbfd5f93a15538c5cb63d8d60e105f29ddb46789a9

SHA512
4aca9c60bcb644ffea453fb6c1b7768f95f91a7896a2334c49d57d564de0fbfb29eca93fa969e6e34340585e7956ac1a44f0a299b6a74cdeab09987c7161d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
4.7MB

MD5
2884a477526c8308e9492845449e7e55

SHA1
eee9ad47bffe627c71529e81bf9daaf95ee3df30

SHA256
55c5b0b62609618558f51c5f35380291a4337cae8b14e65dd5ce7b226e9e4096

SHA512
d4e3694af590f82a1464e403c05c4f7ed34dcd9a91b5b4930d72ae406625952f332b22f3a15aba4a2a412b1967ccb09a7383d2c4140752a1b296e9326f89b5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vijwqi2v.1om.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnrljdjt\bnrljdjt.dll

Filesize
3KB

MD5
795e7262713d93097f29e5bcfbe43199

SHA1
0872d771e7f73585768752cd04bc9ffdebc2e30e

SHA256
7882bb4ba853ec120ca27cca9dd6ba7314dc98b703441036cda6f9f15af13ece

SHA512
1db1f7b1ced7c54c670ee0b011c0094459bb62b4acd2a656daef7b39ba5b40450120ac2a6ad7bf688062a9baafd0696d9f4f8b20bf43216d27f915191c4585e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\viltracoin-qt1.exe

Filesize
2KB

MD5
e53fdf76753edcd8773ab17ae968bfd6

SHA1
4bea38cd83442080bdf51cd1db206715f9198955

SHA256
3d70ce95eb1eb78620cc57fe1a6a479e6f2d70508bf813238e573863df000d6e

SHA512
f168878f0d1047ce3775a511ee5cffed3afc7a47081304b4c884b6099dace99a17e473b727f5afcc87b0e0c1df461439f821b2dbcf341f94b9c206e8487c7888

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnrljdjt\CSC349352A4A16943218179666087D2842C.TMP

Filesize
652B

MD5
d0bb8148a69d02a81b396a2e4e450fed

SHA1
053a5af0a00183484eeb22fd3a0722d01babf026

SHA256
8f49e4404158967452a1a45e2af83c58bea5cf87e586c71d0452e0e8dd90c6b3

SHA512
8240c5d7fad3b8ab0719325e17b38ff7b14f8b8f5649852dc0813171724024e1e1364bb7d6c4cc45c5a31ff96b553c220a52b33ae97d366f491d3e0b1ef2338e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnrljdjt\bnrljdjt.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnrljdjt\bnrljdjt.cmdline

Filesize
369B

MD5
ec852f68d3fe2361bfb81e7625c9dce4

SHA1
23ebc0147d59896f127443a8c0bc60bb25c915fc

SHA256
0344a60ef9ec0c84c0bb01022ac6f428f77dec3d9535755285672700d41e885d

SHA512
f8c3602b3af1853aa98fe6f19a31486d338e49d82a52492c3aabef53fe3b0ce29795f9355f4206680e3dc80e7c5eaed4a17cb1c0e8f176cbf43c9be6373399bc

Download Submit
memory/3428-39-0x0000024D3A560000-0x0000024D3A884000-memory.dmp

Filesize
3.1MB

Download
memory/3428-40-0x0000024D3A9E0000-0x0000024D3AA30000-memory.dmp

Filesize
320KB

Download
memory/3428-41-0x0000024D3C6F0000-0x0000024D3C7A2000-memory.dmp

Filesize
712KB

Download
memory/3428-44-0x0000024D3A9B0000-0x0000024D3A9C2000-memory.dmp

Filesize
72KB

Download
memory/3428-45-0x0000024D3C670000-0x0000024D3C6AC000-memory.dmp

Filesize
240KB

Download
memory/5112-14-0x000002772DA20000-0x000002772DA96000-memory.dmp

Filesize
472KB

Download
memory/5112-27-0x000002772D480000-0x000002772D488000-memory.dmp

Filesize
32KB

Download
memory/5112-13-0x000002772D5E0000-0x000002772D624000-memory.dmp

Filesize
272KB

Download
memory/5112-8-0x000002772B340000-0x000002772B362000-memory.dmp

Filesize
136KB

Download