quasar | dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
Size

83.0MB
MD5

4117eceb35a8705eba8b0ed2148ad7d7
SHA1

1f0f47d0f8fc9f7d11467681473c563bf3624834
SHA256

dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949
SHA512

ad1fb197cf8fc7ebc536bd8787b655e8bd947e23ea64ad7a6da16238f5d4b4f8b3f0e30efc01ce0c0bc27f31dad1afdd97bb13aae3992a78e5214c7b761c4fe0
SSDEEP

393216:T4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2W:TKRVQxhu0P8Lq1LEvxOOx5Sk

Score

10^/10

quasar staking defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Staking

51.15.17.193:4782

Mutex

ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4944-39-0x000001FDAA600000-0x000001FDAA924000-memory.dmp	family_quasar

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe

Executes dropped EXE 1 IoCs

pid	Process
4944	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2480	powershell.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	4944	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 4460	2460	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	83
PID 2460 wrote to memory of 4460	2460	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	83
PID 4460 wrote to memory of 4468	4460	cmd.exe	84
PID 4460 wrote to memory of 4468	4460	cmd.exe	84
PID 4460 wrote to memory of 2480	4460	cmd.exe	85
PID 4460 wrote to memory of 2480	4460	cmd.exe	85
PID 2480 wrote to memory of 2608	2480	powershell.exe	86
PID 2480 wrote to memory of 2608	2480	powershell.exe	86
PID 2608 wrote to memory of 4856	2608	csc.exe	87
PID 2608 wrote to memory of 4856	2608	csc.exe	87
PID 2460 wrote to memory of 228	2460	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	88
PID 2460 wrote to memory of 228	2460	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	88
PID 228 wrote to memory of 4944	228	cmd.exe	89
PID 228 wrote to memory of 4944	228	cmd.exe	89
PID 2460 wrote to memory of 4760	2460	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	90
PID 2460 wrote to memory of 4760	2460	dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe	90

C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
"C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe"
1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
    3⤵
    PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vdqfqrfp\vdqfqrfp.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CDC.tmp" "c:\Users\Admin\AppData\Local\Temp\vdqfqrfp\CSCEA0311CD58444306878589F896255637.TMP"
        5⤵
        
        PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\BTCTools1.exe"
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BTCTools1.exe

Filesize
9B

MD5
9d1ead73e678fa2f51a70a933b0bf017

SHA1
d205cbd6783332a212c5ae92d73c77178c2d2f28

SHA256
0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5

SHA512
935b3d516e996f6d25948ba8a54c1b7f70f7f0e3f517e36481fdf0196c2c5cfc2841f86e891f3df9517746b7fb605db47cdded1b8ff78d9482ddaa621db43a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9CDC.tmp

Filesize
1KB

MD5
544e28085058d5ec39e8ba5e081ccec8

SHA1
599ab9cf04797bb4f21373c244d29322150178e9

SHA256
170ca64345b3deff45d3c71939fdf3843b482ddf8659bddfd15a09b20dc5938b

SHA512
188c6062a7608fe07cd24c3847871f3381715fe308b6140c2f556e53b5d713a09b5e266db0c455b6f299e12bd665cd1e843d4d82ec07bb94a8afc8969e3341b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
4.8MB

MD5
9a7cea63db91937ec2fa0c4a40dcde82

SHA1
dbc121740eb6aa3221beadd3ae69df1ce095c441

SHA256
687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728

SHA512
36e6a806125b1d80e97482f0b03a7481a136f01d2808169f171d89c54d2faf6f5b6913f4751dc737d5dc672f63622e379fd87f306cec2e076d8a5e73d33059dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_chsy1bpb.vih.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdqfqrfp\vdqfqrfp.dll

Filesize
3KB

MD5
bb1ec8a5cbd6a4565392b099818ad5ae

SHA1
2c042879fb70c41240e57537b9bae8cfe5d65efc

SHA256
9b1203c49b695c3783d79f1a5888f0a66edb3ef5ed87d5cb47eab36ae19af3ea

SHA512
871d71438a12feb2f32e25339a7c734552decd9b9fb6df74722a29688f1061c88a613ac1f1bde1a28181586a133fdf87923df4c24a4916abae1c173cf180f804

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vdqfqrfp\CSCEA0311CD58444306878589F896255637.TMP

Filesize
652B

MD5
e01f31df572c74a21fc4a78e0311e343

SHA1
de2723db9b9a3b21b7671c93bdaed95120d0cb69

SHA256
191dcc1ec3ab699d435f0268d0f10984c6392628c9af27c51d9a28c2ddfd3ff6

SHA512
8247f4b3e68fc1cb83aed0b38f1c4a6a7131629cfac549cb8d7e4323f748e67a2bd0b29887e31fc8d413c1aeac3e60875f3edad410b1bcf262e065c25df98003

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vdqfqrfp\vdqfqrfp.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vdqfqrfp\vdqfqrfp.cmdline

Filesize
369B

MD5
79cc3e1e021dd41e049f23b073ee30c6

SHA1
5ffdd38f6769f8f3161c8b8758f6e8ea85aec2bb

SHA256
f9ecac394f7e90ec7eec607afef81d070869aad248d732345ddd39c0b79b059e

SHA512
e3f1b6cbc3bb22411d674fa4eeda68f7e21bc345ec9063e6d600ca6510ff9fd68b034220beda87122087e237ecd3bebd28946ec33d765f995da49bde6e1d181d

Download Submit
memory/2480-13-0x000001937FE50000-0x000001937FE94000-memory.dmp

Filesize
272KB

Download
memory/2480-8-0x000001937FD80000-0x000001937FDA2000-memory.dmp

Filesize
136KB

Download
memory/2480-27-0x0000019300B70000-0x0000019300B78000-memory.dmp

Filesize
32KB

Download
memory/2480-14-0x000001937FF20000-0x000001937FF96000-memory.dmp

Filesize
472KB

Download
memory/4944-39-0x000001FDAA600000-0x000001FDAA924000-memory.dmp

Filesize
3.1MB

Download
memory/4944-40-0x000001FDAA020000-0x000001FDAA070000-memory.dmp

Filesize
320KB

Download
memory/4944-41-0x000001FDAAE80000-0x000001FDAAF32000-memory.dmp

Filesize
712KB

Download
memory/4944-44-0x000001FDAA070000-0x000001FDAA082000-memory.dmp

Filesize
72KB

Download
memory/4944-45-0x000001FDAAA70000-0x000001FDAAAAC000-memory.dmp

Filesize
240KB

Download