quasar | ce20bc65910e2b8126f636cb836ccfc7f094d085c9c5010737c3b118206a73a3

General

Target

image/image.exe
Size

1.5MB
MD5

bbb68cbd54b244a4248bd6f0679248cd
SHA1

8f5b4de5be86fb25b771cb6d77d7c733d61425fe
SHA256

bbd6a97147359f874c0d8cad57adaf14508890a1fdeb7a71b94a2957a81786d5
SHA512

99bc221b3134b37f42a7879382f88367ba365689620aebb7f64e5e11b136885761f7dd1801fafe57b94418af38020fc12cc7df0a9ef6419ea0c3e2f78127471d
SSDEEP

24576:luDXTIGaPhEYzUzA0KugmRyyi8xDjtF24u0+I3dlB9wgTwB/aqBLIXvFpNvKcYjg:4Djlabwz9Am4FijqfEdlB9dTwB/aqBED

Score

10^/10

quasar kurban spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

kurban

C2

am2uk98.localto.net:1717

Mutex

29f4cb4d-448a-4713-bbeb-b28f62c6efe4

Attributes

encryption_key
5D6738D4B8B3079082A977FDF5631438E56AC0F9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
quasar
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002100000002aaaa-6.dat	family_quasar
behavioral1/memory/4276-15-0x0000000000A80000-0x0000000000DA4000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4276	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4276	Client-built.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4276	Client-built.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4276	Client-built.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 128 wrote to memory of 4276	128	image.exe	77
PID 128 wrote to memory of 4276	128	image.exe	77
PID 4276 wrote to memory of 760	4276	Client-built.exe	80
PID 4276 wrote to memory of 760	4276	Client-built.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\image\image.exe
"C:\Users\Admin\AppData\Local\Temp\image\image.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:128
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "quasar" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:760

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d6d3499e5dfe058db4af5745e6885661

SHA1
ef47b148302484d5ab98320962d62565f88fcc18

SHA256
7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

SHA512
ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
fbbd10b5151e4365bceb3190d826c524

SHA1
45a77c1d88151d54383047d84019bc9e84cfa0c8

SHA256
4400d61bcd5543a3123ae53baff8863336555d96350ec33ce9a3f8242917cbb3

SHA512
32404e11daf2116efd194a65a96c24d83c8b0f1eed80ae63d6077d26e8b51f636db993e98474257fb2aa262d87b6ce6219fdf8f2162b4fd179a3e95c9dbee7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
3.1MB

MD5
709db99b201db278f9dd2375efd249fb

SHA1
bcd7a699982f840f90e38543aff9dcad5dc35a75

SHA256
2c4a5c66e2c741be6d4211f46c4c03ffc1e7500326924c2d6eb3e7dc5ae51362

SHA512
18ef7c998e9a229e30a34ec6d1800c572292faa2845b3187b63ca8e72caed03b21f88f000ced25ad2d0e0bd19ad0b554cf62749096cab414a70e06d9c817a4ba

Download Submit
memory/4276-14-0x00007FF8C1C53000-0x00007FF8C1C55000-memory.dmp

Filesize
8KB

Download
memory/4276-15-0x0000000000A80000-0x0000000000DA4000-memory.dmp

Filesize
3.1MB

Download
memory/4276-16-0x00007FF8C1C50000-0x00007FF8C2712000-memory.dmp

Filesize
10.8MB

Download
memory/4276-17-0x000000001C500000-0x000000001C550000-memory.dmp

Filesize
320KB

Download
memory/4276-18-0x000000001C610000-0x000000001C6C2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads