quasar | f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

c76ab36150bf9a2c72e7b1c3d2440f30
SHA1

a3719eabbb7f6da523650a9f606fda7f34f9305c
SHA256

f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab
SHA512

c493f8553797411eefddfc4ffb448c61e3610bea9a3e774aea0048dc46359d61092b5e71bb957cdcc4affa766cb0692bbb8126e084967f00516cf66288232114
SSDEEP

49152:sv5go2QSaNpzyPllgamb0CZof/JfaN9ETJDh+ueoGdoZdTHHB72eh2NT:sv6o2QSaNpzyPllgamYCZof/JfaN6T6

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

C2

7.tcp.eu.ngrok.io:10771

7.tcp.eu.ngrok.io:4782

4.tcp.eu.ngrok.io:4782

4.tcp.eu.ngrok.io:11979

4.tcp.eu.ngrok.io:12435

Mutex

6bc3b1f8-4e29-4c42-b638-2062ec672f6f

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
300
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3464-1-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c97-5.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
39	4.tcp.eu.ngrok.io
14	7.tcp.eu.ngrok.io
24	4.tcp.eu.ngrok.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4936	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4936	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3400	schtasks.exe
3356	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	4704	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4704	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 3400	3464	FlashingSoftwarePRO.exe	85
PID 3464 wrote to memory of 3400	3464	FlashingSoftwarePRO.exe	85
PID 3464 wrote to memory of 4704	3464	FlashingSoftwarePRO.exe	87
PID 3464 wrote to memory of 4704	3464	FlashingSoftwarePRO.exe	87
PID 4704 wrote to memory of 3356	4704	svchost.exe	88
PID 4704 wrote to memory of 3356	4704	svchost.exe	88
PID 4704 wrote to memory of 3196	4704	svchost.exe	110
PID 4704 wrote to memory of 3196	4704	svchost.exe	110
PID 4704 wrote to memory of 4952	4704	svchost.exe	112
PID 4704 wrote to memory of 4952	4704	svchost.exe	112
PID 4952 wrote to memory of 1532	4952	cmd.exe	114
PID 4952 wrote to memory of 1532	4952	cmd.exe	114
PID 4952 wrote to memory of 4936	4952	cmd.exe	115
PID 4952 wrote to memory of 4936	4952	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3400
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3356
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "RuntimeBroker" /f
    3⤵
    PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iexkU0FIuW1Q.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1532
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iexkU0FIuW1Q.bat

Filesize
203B

MD5
50286285df292b3f547b0d5223befe06

SHA1
fd9a6945de0ad730152f720a0312cd13d2bb3dc1

SHA256
5a15517a29f40fa73248d15fe6380ea87f9517757100812c263cacdd69180e1c

SHA512
63c5b6b526c67e3ceeff59667a331ac868ae7cb5203c7a2d133ab8e48039a522436b52746c377077664ca5c32040ac7dd299c501c69f534186513c8d5c10a53a

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.1MB

MD5
c76ab36150bf9a2c72e7b1c3d2440f30

SHA1
a3719eabbb7f6da523650a9f606fda7f34f9305c

SHA256
f9bf98b2e090d49b4830760b942d9208c33169ccd43814fc2a38955d74df15ab

SHA512
c493f8553797411eefddfc4ffb448c61e3610bea9a3e774aea0048dc46359d61092b5e71bb957cdcc4affa766cb0692bbb8126e084967f00516cf66288232114

Download Submit
memory/3464-0-0x00007FFA9AA63000-0x00007FFA9AA65000-memory.dmp

Filesize
8KB

Download
memory/3464-1-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/3464-2-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download
memory/3464-8-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download
memory/4704-10-0x000000001BDB0000-0x000000001BE00000-memory.dmp

Filesize
320KB

Download
memory/4704-11-0x000000001D6C0000-0x000000001D772000-memory.dmp

Filesize
712KB

Download
memory/4704-12-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download
memory/4704-13-0x000000001BD90000-0x000000001BDA2000-memory.dmp

Filesize
72KB

Download
memory/4704-14-0x000000001D640000-0x000000001D67C000-memory.dmp

Filesize
240KB

Download
memory/4704-19-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download
memory/4704-9-0x00007FFA9AA60000-0x00007FFA9B521000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads