quasar | 1815a7d64f7c44b2eeb9560c62d8f805f85f0abd7a5119940bece4ba75a98721

General

Target

Client-built.exe
Size

3.1MB
MD5

06f2bf9b401d06ce6c91498ead63e2a1
SHA1

b90040aacdde3a0dbb310a672cb6f6b8537c3875
SHA256

1815a7d64f7c44b2eeb9560c62d8f805f85f0abd7a5119940bece4ba75a98721
SHA512

95400aa5f057aecfe817cca3ca5250dc8727407806a662a84f2d293998c014710850a97a76f70cfb1cb674b4b9c1d9533a0b7d2a74723592b0fa849e1640a9ed
SSDEEP

49152:MvPlL26AaNeWgPhlmVqvMQ7XSKrp12xoGdmTHHB72eh2NT:MvdL26AaNeWgPhlmVqkQ7XSKrp1k

Score

10^/10

quasar lisasucemoi spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

LisaSuceMoi

C2

valouzz1234-60474.portmap.host:60474

Mutex

eb21c27a-76a8-4d9b-bf47-98f413c746f5

Attributes

encryption_key
4B5EEB0652E6BEA43CC995383C7934AFE315C272
install_name
reg32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Updater System
subdirectory
Windows Updater

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2232-1-0x0000000000930000-0x0000000000C58000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016dc6-6.dat	family_quasar
behavioral1/memory/2748-9-0x0000000000090000-0x00000000003B8000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2748	reg32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe
2736	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	Client-built.exe
Token: SeDebugPrivilege	2748	reg32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	reg32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2748	reg32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2748	reg32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2688	2232	Client-built.exe	31
PID 2232 wrote to memory of 2688	2232	Client-built.exe	31
PID 2232 wrote to memory of 2688	2232	Client-built.exe	31
PID 2232 wrote to memory of 2748	2232	Client-built.exe	33
PID 2232 wrote to memory of 2748	2232	Client-built.exe	33
PID 2232 wrote to memory of 2748	2232	Client-built.exe	33
PID 2748 wrote to memory of 2736	2748	reg32.exe	34
PID 2748 wrote to memory of 2736	2748	reg32.exe	34
PID 2748 wrote to memory of 2736	2748	reg32.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Updater System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Updater\reg32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2688
- C:\Users\Admin\AppData\Roaming\Windows Updater\reg32.exe
  "C:\Users\Admin\AppData\Roaming\Windows Updater\reg32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Updater System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Updater\reg32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Updater\reg32.exe

Filesize
3.1MB

MD5
06f2bf9b401d06ce6c91498ead63e2a1

SHA1
b90040aacdde3a0dbb310a672cb6f6b8537c3875

SHA256
1815a7d64f7c44b2eeb9560c62d8f805f85f0abd7a5119940bece4ba75a98721

SHA512
95400aa5f057aecfe817cca3ca5250dc8727407806a662a84f2d293998c014710850a97a76f70cfb1cb674b4b9c1d9533a0b7d2a74723592b0fa849e1640a9ed

Download Submit
memory/2232-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000000930000-0x0000000000C58000-memory.dmp

Filesize
3.2MB

Download
memory/2232-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-8-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-9-0x0000000000090000-0x00000000003B8000-memory.dmp

Filesize
3.2MB

Download
memory/2748-11-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-10-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-12-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads