quasar | 93c17b482bf0bf274580744e57b27c70ffbbe1d14bb0c312e66f62e99ffa7c60

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 11:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

slimo-qt-windows/slimo-qt.exe
Size

101.4MB
MD5

8fe43b09d853202c4ff8f7d66d17adc5
SHA1

58b1d97d18c60a0769e66e4fcd1fb9756071a15c
SHA256

2b6b5c04c584c7d6dc72a5be6101c204d934b6502e28d1ed1514f757daaab50f
SHA512

1101f11a2c39c5a35fd1421c36b31ab20d21557e2eafe1085ef2f4c0a8df71404e6acb6adab551cce5fd68205e142644d8653be9b90248fb3f020422be240134
SSDEEP

393216:C4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2K:CKRVQxhu0P8Lq1LEvxOOx5S4

Score

10^/10

quasar slimo defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slimo

51.15.17.193:4782

Mutex

e318fab0-811e-40a6-b0aa-1e21015956c8

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral4/memory/4736-39-0x0000026B350D0000-0x0000026B353F4000-memory.dmp	family_quasar

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	slimo-qt.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url	slimo-qt.exe

Executes dropped EXE 1 IoCs

pid	Process
4736	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4284	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4284	powershell.exe
4284	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4736	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4348	1396	slimo-qt.exe	83
PID 1396 wrote to memory of 4348	1396	slimo-qt.exe	83
PID 4348 wrote to memory of 4208	4348	cmd.exe	84
PID 4348 wrote to memory of 4208	4348	cmd.exe	84
PID 4348 wrote to memory of 4284	4348	cmd.exe	85
PID 4348 wrote to memory of 4284	4348	cmd.exe	85
PID 4284 wrote to memory of 4104	4284	powershell.exe	87
PID 4284 wrote to memory of 4104	4284	powershell.exe	87
PID 4104 wrote to memory of 3956	4104	csc.exe	88
PID 4104 wrote to memory of 3956	4104	csc.exe	88
PID 1396 wrote to memory of 4168	1396	slimo-qt.exe	89
PID 1396 wrote to memory of 4168	1396	slimo-qt.exe	89
PID 4168 wrote to memory of 4736	4168	cmd.exe	90
PID 4168 wrote to memory of 4736	4168	cmd.exe	90
PID 1396 wrote to memory of 3184	1396	slimo-qt.exe	92
PID 1396 wrote to memory of 3184	1396	slimo-qt.exe	92

C:\Users\Admin\AppData\Local\Temp\slimo-qt-windows\slimo-qt.exe
"C:\Users\Admin\AppData\Local\Temp\slimo-qt-windows\slimo-qt.exe"
1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
    3⤵
    PID:4208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dr1xuhbv\dr1xuhbv.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8695.tmp" "c:\Users\Admin\AppData\Local\Temp\dr1xuhbv\CSC630D2CD4A66F4E2EB7D2F7EB53A447D8.TMP"
        5⤵
        
        PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\Slimo.exe"
  2⤵
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8695.tmp

Filesize
1KB

MD5
1dca2cc30b83b5d362165d927e98ba7e

SHA1
0d3f0d79332baa9264243c87375d7335b7cab6e8

SHA256
73e67d937b690bd7d3797ca30a66a25ef9d309d59a84f45a3201da5a1c88e971

SHA512
eec7abeafd1a0d70d73e69bd31fb358dceeaa007f936be637d18ab4ff5ec78dc915380014ac98b2a81a3d6ef7ee75da6e4d03627be1cdb1e4e059498f28d61bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
8.2MB

MD5
ab0d88d920d75c9de43ccbdd901c8a53

SHA1
638197f5a23428f1c15a0a5473b6558d263b0a0c

SHA256
edb3d030a4a033bae41057c19437dff31c171573b65afab0acd433cbd0572a17

SHA512
25e1f1f5afe0cb1920be2d6a1db59f11b9f34b0bd154d3d553eb0dc44ecbc810463a7e1dcca5a176d7a08f0a34ed3e669a56cd35f9cc5ed796bfa5385f0e15f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slimo.exe

Filesize
2KB

MD5
e53fdf76753edcd8773ab17ae968bfd6

SHA1
4bea38cd83442080bdf51cd1db206715f9198955

SHA256
3d70ce95eb1eb78620cc57fe1a6a479e6f2d70508bf813238e573863df000d6e

SHA512
f168878f0d1047ce3775a511ee5cffed3afc7a47081304b4c884b6099dace99a17e473b727f5afcc87b0e0c1df461439f821b2dbcf341f94b9c206e8487c7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aonwcpc4.ev2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr1xuhbv\dr1xuhbv.dll

Filesize
3KB

MD5
dd9dc7a4c153475a9c23b57082867863

SHA1
c52ca95ccd31948025c43a695728d171e734c970

SHA256
4e102659d979a6734de798549f88a4f15bf83c0221b0265260d75af0c66cfb4a

SHA512
34b0a94ecfb393ef3c385657e24d27afab03c04e56242457ca9f8db4382e9e378a1b9288f74e2e719b7794fd93ba2302f69a883ddf7ccf2f7117c46c41b0208c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dr1xuhbv\CSC630D2CD4A66F4E2EB7D2F7EB53A447D8.TMP

Filesize
652B

MD5
b86d45a14d4e42bb471181ce0bdb1cfe

SHA1
bef99fff8152d07bd5b0f0ceec157b31b9deae58

SHA256
d8121bd6f4652001ce9b3703db81aaf12f8ad9f65cb7ea14d77640a08b74727b

SHA512
e839d85e21011870b2a8103c79a4904c89525407d84761cb79dd818e7b3b30fe69e98c845fb796c529e88625cdce8044571feb2148c4dc6fca358a3e734c4b0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dr1xuhbv\dr1xuhbv.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dr1xuhbv\dr1xuhbv.cmdline

Filesize
369B

MD5
823a1509c703ec8ece0faa2c8da30875

SHA1
8ac6432fe09d0f49deb40df1e8bab14127029aec

SHA256
8ec1f2299591b7f99b30d3a70dc30a61beb27ea3aba4500b45c3c1221b3419c6

SHA512
45adfdf99325c311a101d02bc9a2726a6b5b86f67b9b827a143f81047232fd0a8cf63bed59094f68a6ee71b024e7718321186541b277980cc1a96e83fd9abbb4

Download Submit
memory/4284-14-0x0000020058A90000-0x0000020058B06000-memory.dmp

Filesize
472KB

Download
memory/4284-27-0x0000020056420000-0x0000020056428000-memory.dmp

Filesize
32KB

Download
memory/4284-5-0x00000200584B0000-0x00000200584D2000-memory.dmp

Filesize
136KB

Download
memory/4284-13-0x0000020058630000-0x0000020058674000-memory.dmp

Filesize
272KB

Download
memory/4736-39-0x0000026B350D0000-0x0000026B353F4000-memory.dmp

Filesize
3.1MB

Download
memory/4736-40-0x0000026B1C250000-0x0000026B1C2A0000-memory.dmp

Filesize
320KB

Download
memory/4736-41-0x0000026B354B0000-0x0000026B35562000-memory.dmp

Filesize
712KB

Download
memory/4736-44-0x0000026B1C230000-0x0000026B1C242000-memory.dmp

Filesize
72KB

Download
memory/4736-45-0x0000026B35430000-0x0000026B3546C000-memory.dmp

Filesize
240KB

Download