quasar | 537a88d2c2c8cee418e6b1da94d655caa0ece2beb6c04fe1f96aeb199d87eded

Analysis

max time kernel
0s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 12:11 UTC

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Paypal cracker.exe
Size

6.6MB
MD5

5627dd16f023b8be51ed365d2fb6fee5
SHA1

fcccce747bf6c824233cfda366798fa0467d3daf
SHA256

2e2f6fe5b310d843656af43b60c0faddf6eb0f329efc8353272437db44b5f247
SHA512

e475f903d2afd4c1b985f368f77610270df54bb8207130f6339e59595777718cfadadbb732775523a11aa035cbbf3c6d81896a33d84b40f6c01f182a1654f637
SSDEEP

98304:xRlI+LjNr86mjj/UYviu26bbyKS2myX0rPpIh1KcV:xRlVmj72wblTmyEpG17V

Score

10^/10

quasar windows security discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

windows security

quasarrat220-24487.portmap.io:24487

Mutex

VNM_MUTEX_mOPqShedZxvAqgLrWL

Attributes

encryption_key
7mvA2TfKjvMIY0zZeMKF
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0007000000023cb2-17.dat	disable_win_def
behavioral2/files/0x0008000000023cb5-38.dat	disable_win_def
behavioral2/memory/2496-46-0x00000000003A0000-0x000000000042C000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb2-17.dat	family_quasar
behavioral2/files/0x0008000000023cb5-38.dat	family_quasar
behavioral2/memory/2496-46-0x00000000003A0000-0x000000000042C000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4644	2496	WerFault.exe	87

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2412	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2412	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Paypal cracker.exe
"C:\Users\Admin\AppData\Local\Temp\Paypal cracker.exe"
1⤵
PID:3416
- C:\Users\Admin\AppData\Roaming\systemsvc.exe
  "C:\Users\Admin\AppData\Roaming\systemsvc.exe"
  2⤵
  PID:2060
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
    3⤵
    PID:756
- C:\Users\Admin\AppData\Roaming\systemkvc.exe
  "C:\Users\Admin\AppData\Roaming\systemkvc.exe"
  2⤵
  PID:4512
- - C:\Services\6D9F656405E.exe
    "C:\Services\6D9F656405E.exe"
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\8IUA066.exe
      "C:\Users\Admin\AppData\Local\Temp\8IUA066.exe"
      4⤵
      PID:208
- C:\Users\Admin\AppData\Local\Temp\Checker.exe
  "Checker.exe"
  2⤵
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE"
    3⤵
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE
    "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE"
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1PLWfojgAdsL.bat" "
      4⤵
      PID:2628
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:804
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 2204
      4⤵
      Program crash
      PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
1⤵
PID:1468

Network

DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

z.zo

Remote address:

8.8.8.8:53

Request

z.zo

IN A

Response
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 31 Dec 2024 12:11:20 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

quasarrat220-24487.portmap.io

Remote address:

8.8.8.8:53

Request

quasarrat220-24487.portmap.io

IN A

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom

185.81.68.147:80

156 B
3
185.81.68.147:80

156 B
3
185.81.68.147:80

104 B
2
185.81.68.147:80

104 B
2
208.95.112.1:80

http://ip-api.com/json/

http

328 B
560 B
4
2

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200

8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

z.zo

dns

50 B
125 B
1
1

DNS Request

z.zo
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

quasarrat220-24487.portmap.io

dns

75 B
168 B
1
1

DNS Request

quasarrat220-24487.portmap.io
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Services\48189C71BC31576

Filesize
34KB

MD5
6a172fdb857f0ac1921efc443e407e7d

SHA1
9401bd19abe0750b866625107f146c1cf55c75b8

SHA256
ab3adcd792f9526fc8634b1de30773d74becadaf056c8d3b1aeee1641f4d640b

SHA512
195a632b76a2a19227cbd1364b810148764c6e5b94971d3e34f93e83d38d410d122db52671a9ebca4087e0216361c6e54db7f959a83832cb5ca2d769cec04ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1PLWfojgAdsL.bat

Filesize
213B

MD5
847c1ea0aa76a066ffc8fe0eb041c8a9

SHA1
cd375f5ad48e75bfe03dcf8e961ee0fb91e27524

SHA256
1df685d966b2ab67804431393dceba11caade019f9a9af3e60d22db1d20e0519

SHA512
65c1024b2fa4805557324a8408fb708ebf47de93449628bc8226ce8d573c3b9a2fbe779b478d581ba92fd2e32c1a16a00822c3d3ffabeecaf8e6fd30e7f0f1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8IUA066.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe

Filesize
5.9MB

MD5
3425a9f00842bf28a0bafc5c1571b881

SHA1
3009eca32bcf159981d37a8620836b1d215aa33e

SHA256
7328321fccd71cfda94a18656158ce54b0e3a0831d48f46f559b442a33a1790a

SHA512
868b816f376a3bc38d24850808eb5410e4037acedd0849ad73868065525444a4cca54e3484d5ac0b14523217f3d6da24fc6132942632653439f0ea5310084bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAYPAL.EXE

Filesize
5.3MB

MD5
341b34b571af06277c2f3b4156bd86df

SHA1
ba120240400cc6dcf0e92e732d4f460f3763102b

SHA256
9a579053ee79c9ee45e29ac1887aba8cb87936c01026b5f3d830456547adc441

SHA512
2cbb482d2e087e18b7461c9a317aa249adf12821de17d6dd59f3c17e01394047df31e875a551d23d32a64a46f8db46003c2feced7e967dd159bc65d3bff76e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS SECURITY.EXE

Filesize
534KB

MD5
9e14775490cee79c73cb45c2f24f7a73

SHA1
ddd6c7485a5e64a66a0a7598777abdafa7a63950

SHA256
d53df5b6b080ba24773ca16c7a8b70eeb783ead278712e0c5b44abc84805e60e

SHA512
1c0aec61a64400bcf18f6f0e5a950c68b7a25492b07290e3793a759f616c1b361ed6472d260d0f379b691567216a1f9e53af53b2dc89711df618a4463c8d0317

Download Submit
C:\Users\Admin\AppData\Roaming\B617A73969252838420810\B617A73969252838420810.exe

Filesize
299KB

MD5
5d5392e5c3edac5337a75692f75b4c8e

SHA1
80b9f25c4162e69fc24a5a056e2c3fc029b68f02

SHA256
e7c8df1d1cf7e5abf9c6c025ee99acad9ce907d5f584bb38c5eeb32706251109

SHA512
15141c710c41ff75b23b8b406d91b105dcfe5bb8819ae067baf1d2383a599e081ce14c978bdae151129352ccb096cd587e4ab1bf4f0995c284907e606ed66227

Download Submit
C:\Users\Admin\AppData\Roaming\systemkvc.exe

Filesize
355KB

MD5
33ed3913ea48a41363644e37261fddc2

SHA1
f52b405849a5bcffa792ee44643c7d6c9db9044f

SHA256
3859cde03ca6389bb5973e274ab9da5b51b9593a319e1b16330225b2aea8bd63

SHA512
1b4c87215b7da10166ddfc9a9f214a8fc4292905517f4632fea937fd5aff83f8cec3c99cf15dac0d6d34f0a180b592e2f3fc8346e6aa52bcf064c396b547e053

Download Submit
memory/208-79-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-108-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-68-0x0000000000DD0000-0x0000000000E16000-memory.dmp

Filesize
280KB

Download
memory/208-66-0x0000000000DD0000-0x0000000000E16000-memory.dmp

Filesize
280KB

Download
memory/208-70-0x0000000000DD0000-0x0000000000E16000-memory.dmp

Filesize
280KB

Download
memory/208-71-0x0000000000DD0000-0x0000000000E16000-memory.dmp

Filesize
280KB

Download
memory/208-62-0x0000000000DD0000-0x0000000000E16000-memory.dmp

Filesize
280KB

Download
memory/208-102-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-72-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/208-73-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/208-74-0x0000000000DD0000-0x0000000000E16000-memory.dmp

Filesize
280KB

Download
memory/208-111-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-94-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-80-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-81-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-82-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-83-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-67-0x0000000000DD0000-0x0000000000E16000-memory.dmp

Filesize
280KB

Download
memory/208-107-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-106-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-105-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-104-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-103-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-101-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-100-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-84-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-99-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-98-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-97-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-95-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-96-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/208-109-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1764-59-0x0000000000E70000-0x0000000000ECC000-memory.dmp

Filesize
368KB

Download
memory/2356-123-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-118-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-43-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download
memory/2356-112-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-93-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-92-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-114-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-117-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-91-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-90-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-88-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-121-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-126-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-86-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2356-85-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2356-120-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-115-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-116-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-89-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-113-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-119-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-122-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-124-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2356-125-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/2496-185-0x00000000061A0000-0x00000000061DC000-memory.dmp

Filesize
240KB

Download
memory/2496-48-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/2496-47-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/2496-46-0x00000000003A0000-0x000000000042C000-memory.dmp

Filesize
560KB

Download
memory/2496-184-0x0000000005C60000-0x0000000005C72000-memory.dmp

Filesize
72KB

Download
memory/2496-187-0x0000000006500000-0x000000000650A000-memory.dmp

Filesize
40KB

Download
memory/2496-157-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/4512-18-0x0000000000FCB000-0x0000000000FCC000-memory.dmp

Filesize
4KB

Download
memory/4512-19-0x0000000000FCB000-0x0000000000FCC000-memory.dmp

Filesize
4KB

Download
memory/4512-20-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4512-21-0x0000000000FB0000-0x00000000010B0000-memory.dmp

Filesize
1024KB

Download
memory/4512-50-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4512-49-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4512-13-0x0000000000420000-0x000000000047C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.