quasar | f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab

Analysis

max time kernel
110s
max time network
144s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

c76ab36150bf9a2c72e7b1c3d2440f30
SHA1

a3719eabbb7f6da523650a9f606fda7f34f9305c
SHA256

f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab
SHA512

c493f8553797411eefddfc4ffb448c61e3610bea9a3e774aea0048dc46359d61092b5e71bb957cdcc4affa766cb0692bbb8126e084967f00516cf66288232114
SSDEEP

49152:sv5go2QSaNpzyPllgamb0CZof/JfaN9ETJDh+ueoGdoZdTHHB72eh2NT:sv6o2QSaNpzyPllgamYCZof/JfaN6T6

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

7.tcp.eu.ngrok.io:10771

7.tcp.eu.ngrok.io:4782

4.tcp.eu.ngrok.io:4782

4.tcp.eu.ngrok.io:11979

4.tcp.eu.ngrok.io:12435

Mutex

6bc3b1f8-4e29-4c42-b638-2062ec672f6f

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
300
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3136-1-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/files/0x0028000000046165-3.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	7.tcp.eu.ngrok.io
26	4.tcp.eu.ngrok.io
44	4.tcp.eu.ngrok.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4264	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4264	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1116	schtasks.exe
3156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	2324	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3156	3136	FlashingSoftwarePRO.exe	83
PID 3136 wrote to memory of 3156	3136	FlashingSoftwarePRO.exe	83
PID 3136 wrote to memory of 2324	3136	FlashingSoftwarePRO.exe	85
PID 3136 wrote to memory of 2324	3136	FlashingSoftwarePRO.exe	85
PID 2324 wrote to memory of 1116	2324	svchost.exe	86
PID 2324 wrote to memory of 1116	2324	svchost.exe	86
PID 2324 wrote to memory of 3056	2324	svchost.exe	96
PID 2324 wrote to memory of 3056	2324	svchost.exe	96
PID 2324 wrote to memory of 1540	2324	svchost.exe	98
PID 2324 wrote to memory of 1540	2324	svchost.exe	98
PID 1540 wrote to memory of 568	1540	cmd.exe	100
PID 1540 wrote to memory of 568	1540	cmd.exe	100
PID 1540 wrote to memory of 4264	1540	cmd.exe	101
PID 1540 wrote to memory of 4264	1540	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3156
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1116
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "RuntimeBroker" /f
    3⤵
    PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88DpcWrWbXRl.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:568
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88DpcWrWbXRl.bat

Filesize
203B

MD5
0093ee35417c4cfb0f23f11578722d49

SHA1
e6d03a15febb2b2254a1411f2fdf4752c1620b68

SHA256
ae11d81bd743e76f4cf829ad22b1d58700a2899b1dbacdd5912cf6d1816110b7

SHA512
862997ad18fb03e5e7b8001d8d1db8d346d9d8cc7b608eae70a020fce5a6cfc02ef7feae0202dc93fb6894778db0e9e8885a4bf0400f04924871d6ff3fc9f959

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.1MB

MD5
c76ab36150bf9a2c72e7b1c3d2440f30

SHA1
a3719eabbb7f6da523650a9f606fda7f34f9305c

SHA256
f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab

SHA512
c493f8553797411eefddfc4ffb448c61e3610bea9a3e774aea0048dc46359d61092b5e71bb957cdcc4affa766cb0692bbb8126e084967f00516cf66288232114

Download Submit
memory/2324-7-0x000000001B960000-0x000000001B9B0000-memory.dmp

Filesize
320KB

Download
memory/2324-5-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

Filesize
10.8MB

Download
memory/2324-8-0x000000001D2C0000-0x000000001D372000-memory.dmp

Filesize
712KB

Download
memory/2324-9-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

Filesize
10.8MB

Download
memory/2324-10-0x000000001B9B0000-0x000000001B9C2000-memory.dmp

Filesize
72KB

Download
memory/2324-11-0x000000001D240000-0x000000001D27C000-memory.dmp

Filesize
240KB

Download
memory/2324-20-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

Filesize
10.8MB

Download
memory/3136-2-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

Filesize
10.8MB

Download
memory/3136-6-0x00007FFBC1D70000-0x00007FFBC2832000-memory.dmp

Filesize
10.8MB

Download
memory/3136-0-0x00007FFBC1D73000-0x00007FFBC1D75000-memory.dmp

Filesize
8KB

Download
memory/3136-1-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download