quasar | 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c

General

Target

JJSPLOIT.V2.exe
Size

3.1MB
MD5

d4a776ea55e24d3124a6e0759fb0ac44
SHA1

f5932d234baccc992ca910ff12044e8965229852
SHA256

7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c
SHA512

ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b
SSDEEP

49152:gvvL82kyaNnwxPlllSWxc9LpQXmrRJ6cbR3LoGdJTHHB72eh2NT:gvD82kyaNnwxPlllSWa9LpQXmrRJ6m

Score

10^/10

quasar roblox executor discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ROBLOX EXECUTOR

C2

192.168.50.1:4782

10.0.0.113:4782

LETSQOOO-62766.portmap.host:62766

89.10.178.51:4782

Mutex

90faf922-159d-4166-b661-4ba16af8650e

Attributes

encryption_key
FFEE70B90F5EBED6085600C989F1D6D56E2DEC26
install_name
windows 3543.exe
log_directory
roblox executor
reconnect_delay
3000
startup_key
windows background updater
subdirectory
windows updater

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral3/memory/4312-1-0x00000000005B0000-0x00000000008D4000-memory.dmp	family_quasar
behavioral3/files/0x001c00000002ab3c-6.dat	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
3744	windows 3543.exe
1948	windows 3543.exe
2212	windows 3543.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
576	PING.EXE
436	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
576	PING.EXE
436	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2164	schtasks.exe
4760	schtasks.exe
788	schtasks.exe
5064	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	JJSPLOIT.V2.exe
Token: SeDebugPrivilege	3744	windows 3543.exe
Token: SeDebugPrivilege	1948	windows 3543.exe
Token: SeDebugPrivilege	2212	windows 3543.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3744	windows 3543.exe
1948	windows 3543.exe
2212	windows 3543.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 5064	4312	JJSPLOIT.V2.exe	77
PID 4312 wrote to memory of 5064	4312	JJSPLOIT.V2.exe	77
PID 4312 wrote to memory of 3744	4312	JJSPLOIT.V2.exe	79
PID 4312 wrote to memory of 3744	4312	JJSPLOIT.V2.exe	79
PID 3744 wrote to memory of 2164	3744	windows 3543.exe	80
PID 3744 wrote to memory of 2164	3744	windows 3543.exe	80
PID 3744 wrote to memory of 928	3744	windows 3543.exe	82
PID 3744 wrote to memory of 928	3744	windows 3543.exe	82
PID 928 wrote to memory of 4404	928	cmd.exe	84
PID 928 wrote to memory of 4404	928	cmd.exe	84
PID 928 wrote to memory of 576	928	cmd.exe	85
PID 928 wrote to memory of 576	928	cmd.exe	85
PID 928 wrote to memory of 1948	928	cmd.exe	86
PID 928 wrote to memory of 1948	928	cmd.exe	86
PID 1948 wrote to memory of 4760	1948	windows 3543.exe	87
PID 1948 wrote to memory of 4760	1948	windows 3543.exe	87
PID 1948 wrote to memory of 4400	1948	windows 3543.exe	89
PID 1948 wrote to memory of 4400	1948	windows 3543.exe	89
PID 4400 wrote to memory of 4284	4400	cmd.exe	91
PID 4400 wrote to memory of 4284	4400	cmd.exe	91
PID 4400 wrote to memory of 436	4400	cmd.exe	92
PID 4400 wrote to memory of 436	4400	cmd.exe	92
PID 4400 wrote to memory of 2212	4400	cmd.exe	93
PID 4400 wrote to memory of 2212	4400	cmd.exe	93
PID 2212 wrote to memory of 788	2212	windows 3543.exe	94
PID 2212 wrote to memory of 788	2212	windows 3543.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JJSPLOIT.V2.exe
"C:\Users\Admin\AppData\Local\Temp\JJSPLOIT.V2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5064
- C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
  "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OzDRUn1AebHh.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4404
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:576
  - - C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
      "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAnaK0yGuBoO.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4284
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:436
      - C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
        
        "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows 3543.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAnaK0yGuBoO.bat

Filesize
222B

MD5
82ab03b9656a66cd40a9d3c1e9946a45

SHA1
e471bae663c6feb53441917de3259dbc53147e89

SHA256
8f6ee80746e47e64ea80a11a25eccf9233c542c533bf367601f32091849f6e33

SHA512
e58e6b0c79274d5af5ae55fcea325327f4e79738460e2cdb4d668b1a482601fbe8726d8476e9df0d117093bb37ecfa880b5eaa1a2c491e6d3955bcc6ab513745

Download Submit
C:\Users\Admin\AppData\Local\Temp\OzDRUn1AebHh.bat

Filesize
222B

MD5
38adf4b3f07c901ec6d07ce24c35aced

SHA1
4707d19b4254dd45799333e91e330560924b6c49

SHA256
7b4ebe2fd240c67631588c6b99b09df54403bf44ec3aac048fa0df169bb9428e

SHA512
54997e616d6f09fcefbf6a5204eb3efd1f1b3ce9c1f32fde876452c99f8b186a8a2f08ac6786f6d4e401b94cdbe82790c3d3420bc7ce31c86511bd74584bfbdd

Download Submit
C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe

Filesize
3.1MB

MD5
d4a776ea55e24d3124a6e0759fb0ac44

SHA1
f5932d234baccc992ca910ff12044e8965229852

SHA256
7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c

SHA512
ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b

Download Submit
memory/3744-11-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/3744-10-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/3744-12-0x000000001C020000-0x000000001C070000-memory.dmp

Filesize
320KB

Download
memory/3744-13-0x000000001C130000-0x000000001C1E2000-memory.dmp

Filesize
712KB

Download
memory/3744-14-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/3744-19-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/4312-0-0x00007FFA87763000-0x00007FFA87765000-memory.dmp

Filesize
8KB

Download
memory/4312-9-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/4312-2-0x00007FFA87760000-0x00007FFA88222000-memory.dmp

Filesize
10.8MB

Download
memory/4312-1-0x00000000005B0000-0x00000000008D4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads