quasar | ef2a326a4226caafa7542e93fc2aa474874907eb369dfca8dea080a4a8fa854d

Analysis

max time kernel
125s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-12-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newwasdwasd.exe
Size

3.1MB
MD5

048106e39bf4014d0c3e0481becddb92
SHA1

7f12cc9a25a07a9ff47d34fa53fed13144b07342
SHA256

ef2a326a4226caafa7542e93fc2aa474874907eb369dfca8dea080a4a8fa854d
SHA512

1ff8fbed8e2775f5559ece342c133e8018c9df6ab1ebec66b45312a4ab79f8c275516c1a4fd1cd1d37af7e0382f44a90e3e7e8078790296eb7e793122cee00ff
SSDEEP

49152:7vwhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaQSSMf3VoGdwTHHB72eh2NT:7vit2d5aKCuVPzlEmVQ0wvwfQSj

Score

10^/10

quasar minecraft_updater spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

minecraft_updater

98.97.12.133:631

Mutex

182d06ff-972f-4a96-b344-59a01694d374

Attributes

encryption_key
C5904FDD788EA00F921C538B9FE80C0B0A0DE728
install_name
MinecraftUpdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MinecraftUpdater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2848-1-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral2/files/0x001b00000002ab2a-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3364	MinecraftUpdater.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3768	schtasks.exe
3836	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	newwasdwasd.exe
Token: SeDebugPrivilege	3364	MinecraftUpdater.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3364	MinecraftUpdater.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3768	2848	newwasdwasd.exe	77
PID 2848 wrote to memory of 3768	2848	newwasdwasd.exe	77
PID 2848 wrote to memory of 3364	2848	newwasdwasd.exe	79
PID 2848 wrote to memory of 3364	2848	newwasdwasd.exe	79
PID 3364 wrote to memory of 3836	3364	MinecraftUpdater.exe	80
PID 3364 wrote to memory of 3836	3364	MinecraftUpdater.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\newwasdwasd.exe
"C:\Users\Admin\AppData\Local\Temp\newwasdwasd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3768
- C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe

Filesize
3.1MB

MD5
048106e39bf4014d0c3e0481becddb92

SHA1
7f12cc9a25a07a9ff47d34fa53fed13144b07342

SHA256
ef2a326a4226caafa7542e93fc2aa474874907eb369dfca8dea080a4a8fa854d

SHA512
1ff8fbed8e2775f5559ece342c133e8018c9df6ab1ebec66b45312a4ab79f8c275516c1a4fd1cd1d37af7e0382f44a90e3e7e8078790296eb7e793122cee00ff

Download Submit
memory/2848-0-0x00007FFB5DE53000-0x00007FFB5DE55000-memory.dmp

Filesize
8KB

Download
memory/2848-1-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2848-2-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download
memory/2848-9-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download
memory/3364-10-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download
memory/3364-11-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download
memory/3364-12-0x000000001BE10000-0x000000001BE60000-memory.dmp

Filesize
320KB

Download
memory/3364-13-0x000000001BF20000-0x000000001BFD2000-memory.dmp

Filesize
712KB

Download
memory/3364-14-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads