quasar | 9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36

General

Target

9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe
Size

3.1MB
MD5

be32c281194c0a859cca202a418a16a3
SHA1

e2c3885c8bc9b24b492f68a2c69ebf0c488abebc
SHA256

9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36
SHA512

541266a8f6b23b74d40c9d2656adb963c92ed5f8f2f239aa472649958f934f29a37afd42dfe27e9dfc2991c529dc949bffb6766223593c9ff7418778ad9bd36f
SSDEEP

49152:HvnlL26AaNeWgPhlmVqvMQ7XSKKzDKkCWZLoGAVATHHB72eh2NT:HvlL26AaNeWgPhlmVqkQ7XSKKzDjp

Score

10^/10

quasar driver host spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Driver Host

C2

VisoXC-59263.portmap.host:59263

Mutex

80b8889c-1e9f-4330-a95e-a3d9faf3bfc4

Attributes

encryption_key
C1589EF424F77018CD488E8307C8C1DF199C8A42
install_name
driverhost32.exe
log_directory
Driver Logs
reconnect_delay
3000
startup_key
driverhost32
subdirectory
Driver Host

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2540-1-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016dc7-5.dat	family_quasar
behavioral1/memory/3044-9-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3044	driverhost32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
336	schtasks.exe
2592	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe
Token: SeDebugPrivilege	3044	driverhost32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3044	driverhost32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2592	2540	9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe	30
PID 2540 wrote to memory of 2592	2540	9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe	30
PID 2540 wrote to memory of 2592	2540	9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe	30
PID 2540 wrote to memory of 3044	2540	9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe	32
PID 2540 wrote to memory of 3044	2540	9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe	32
PID 2540 wrote to memory of 3044	2540	9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe	32
PID 3044 wrote to memory of 336	3044	driverhost32.exe	33
PID 3044 wrote to memory of 336	3044	driverhost32.exe	33
PID 3044 wrote to memory of 336	3044	driverhost32.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe
"C:\Users\Admin\AppData\Local\Temp\9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "driverhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2592
- C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe
  "C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "driverhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Driver Host\driverhost32.exe

Filesize
3.1MB

MD5
be32c281194c0a859cca202a418a16a3

SHA1
e2c3885c8bc9b24b492f68a2c69ebf0c488abebc

SHA256
9d07e30f2a7238a495be924fa99761dd7e0dd300ec310e7d2d457ad7e6959b36

SHA512
541266a8f6b23b74d40c9d2656adb963c92ed5f8f2f239aa472649958f934f29a37afd42dfe27e9dfc2991c529dc949bffb6766223593c9ff7418778ad9bd36f

Download Submit
memory/2540-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/2540-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-7-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-8-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-9-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/3044-10-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-11-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads