quasar | 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c

General

Target

JJSPLOIT.V2.exe
Size

3.1MB
MD5

d4a776ea55e24d3124a6e0759fb0ac44
SHA1

f5932d234baccc992ca910ff12044e8965229852
SHA256

7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c
SHA512

ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b
SSDEEP

49152:gvvL82kyaNnwxPlllSWxc9LpQXmrRJ6cbR3LoGdJTHHB72eh2NT:gvD82kyaNnwxPlllSWa9LpQXmrRJ6m

Score

10^/10

quasar roblox executor discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ROBLOX EXECUTOR

C2

192.168.50.1:4782

10.0.0.113:4782

LETSQOOO-62766.portmap.host:62766

89.10.178.51:4782

Mutex

90faf922-159d-4166-b661-4ba16af8650e

Attributes

encryption_key
FFEE70B90F5EBED6085600C989F1D6D56E2DEC26
install_name
windows 3543.exe
log_directory
roblox executor
reconnect_delay
3000
startup_key
windows background updater
subdirectory
windows updater

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1520-1-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000023bb7-6.dat	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	windows 3543.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	windows 3543.exe

Executes dropped EXE 3 IoCs

pid	Process
3276	windows 3543.exe
3756	windows 3543.exe
924	windows 3543.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3980	PING.EXE
4556	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3980	PING.EXE
4556	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
1028	schtasks.exe
3688	schtasks.exe
5084	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	JJSPLOIT.V2.exe
Token: SeDebugPrivilege	3276	windows 3543.exe
Token: SeDebugPrivilege	3756	windows 3543.exe
Token: SeDebugPrivilege	924	windows 3543.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3276	windows 3543.exe
3756	windows 3543.exe
924	windows 3543.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 5084	1520	JJSPLOIT.V2.exe	82
PID 1520 wrote to memory of 5084	1520	JJSPLOIT.V2.exe	82
PID 1520 wrote to memory of 3276	1520	JJSPLOIT.V2.exe	84
PID 1520 wrote to memory of 3276	1520	JJSPLOIT.V2.exe	84
PID 3276 wrote to memory of 2660	3276	windows 3543.exe	85
PID 3276 wrote to memory of 2660	3276	windows 3543.exe	85
PID 3276 wrote to memory of 2072	3276	windows 3543.exe	96
PID 3276 wrote to memory of 2072	3276	windows 3543.exe	96
PID 2072 wrote to memory of 4924	2072	cmd.exe	98
PID 2072 wrote to memory of 4924	2072	cmd.exe	98
PID 2072 wrote to memory of 3980	2072	cmd.exe	99
PID 2072 wrote to memory of 3980	2072	cmd.exe	99
PID 2072 wrote to memory of 3756	2072	cmd.exe	100
PID 2072 wrote to memory of 3756	2072	cmd.exe	100
PID 3756 wrote to memory of 1028	3756	windows 3543.exe	101
PID 3756 wrote to memory of 1028	3756	windows 3543.exe	101
PID 3756 wrote to memory of 4064	3756	windows 3543.exe	103
PID 3756 wrote to memory of 4064	3756	windows 3543.exe	103
PID 4064 wrote to memory of 3284	4064	cmd.exe	105
PID 4064 wrote to memory of 3284	4064	cmd.exe	105
PID 4064 wrote to memory of 4556	4064	cmd.exe	106
PID 4064 wrote to memory of 4556	4064	cmd.exe	106
PID 4064 wrote to memory of 924	4064	cmd.exe	107
PID 4064 wrote to memory of 924	4064	cmd.exe	107
PID 924 wrote to memory of 3688	924	windows 3543.exe	108
PID 924 wrote to memory of 3688	924	windows 3543.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JJSPLOIT.V2.exe
"C:\Users\Admin\AppData\Local\Temp\JJSPLOIT.V2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5084
- C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
  "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vj9P241S8JkK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4924
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3980
  - - C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
      "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZKSoIB38IgJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3284
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4556
      - C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
        
        "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows 3543.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vj9P241S8JkK.bat

Filesize
222B

MD5
efce8536c4fd2d7b9dc772b5ac5244f8

SHA1
47ec97c09d606c681ecfb73c6ab7598a0815722d

SHA256
e3e20ad116c0740d540bb9574b839374991a7757dda5aa63e6c641ff8149c92b

SHA512
3a0446e153105952271deb3d401f6c2cf4e041a7058d8e044edb3dc44ff879adaf06d859d0cda0780042e58941a6de70ef77b73db6fcc911549e6e3aaaea2f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tZKSoIB38IgJ.bat

Filesize
222B

MD5
2e3f36e7493d850f069f4b3a2e5c4a77

SHA1
60dcacc60a329a82f46f0262ef19e2269b055a5d

SHA256
3aa674bd9fcfae4528281ca5b19584151d923a28568803d3bd81e9a7e042d169

SHA512
3db4303205f1d0f329a05f5e7d19d0e78581deb1ab980353f4c6c2096186920c5df3aba505355b5fdeb0d080098f6e823d65d4ff1d337dc011e08682d153a05a

Download Submit
C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe

Filesize
3.1MB

MD5
d4a776ea55e24d3124a6e0759fb0ac44

SHA1
f5932d234baccc992ca910ff12044e8965229852

SHA256
7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c

SHA512
ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b

Download Submit
memory/1520-13-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1520-1-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/1520-2-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1520-0-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/3276-11-0x000000001B9A0000-0x000000001B9F0000-memory.dmp

Filesize
320KB

Download
memory/3276-14-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/3276-20-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/3276-12-0x000000001C320000-0x000000001C3D2000-memory.dmp

Filesize
712KB

Download
memory/3276-10-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/3276-9-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads