quasar | 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JJSPLOIT.V2.exe
Size

3.1MB
MD5

d4a776ea55e24d3124a6e0759fb0ac44
SHA1

f5932d234baccc992ca910ff12044e8965229852
SHA256

7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c
SHA512

ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b
SSDEEP

49152:gvvL82kyaNnwxPlllSWxc9LpQXmrRJ6cbR3LoGdJTHHB72eh2NT:gvD82kyaNnwxPlllSWa9LpQXmrRJ6m

Score

10^/10

quasar roblox executor spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ROBLOX EXECUTOR

192.168.50.1:4782

10.0.0.113:4782

LETSQOOO-62766.portmap.host:62766

89.10.178.51:4782

Mutex

90faf922-159d-4166-b661-4ba16af8650e

Attributes

encryption_key
FFEE70B90F5EBED6085600C989F1D6D56E2DEC26
install_name
windows 3543.exe
log_directory
roblox executor
reconnect_delay
3000
startup_key
windows background updater
subdirectory
windows updater

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2676-1-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023b72-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1852	windows 3543.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2944	schtasks.exe
4576	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	JJSPLOIT.V2.exe
Token: SeDebugPrivilege	1852	windows 3543.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1852	windows 3543.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2944	2676	JJSPLOIT.V2.exe	83
PID 2676 wrote to memory of 2944	2676	JJSPLOIT.V2.exe	83
PID 2676 wrote to memory of 1852	2676	JJSPLOIT.V2.exe	85
PID 2676 wrote to memory of 1852	2676	JJSPLOIT.V2.exe	85
PID 1852 wrote to memory of 4576	1852	windows 3543.exe	86
PID 1852 wrote to memory of 4576	1852	windows 3543.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JJSPLOIT.V2.exe
"C:\Users\Admin\AppData\Local\Temp\JJSPLOIT.V2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2944
- C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
  "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe

Filesize
3.1MB

MD5
d4a776ea55e24d3124a6e0759fb0ac44

SHA1
f5932d234baccc992ca910ff12044e8965229852

SHA256
7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c

SHA512
ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b

Download Submit
memory/1852-10-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/1852-11-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/1852-12-0x000000001BA80000-0x000000001BAD0000-memory.dmp

Filesize
320KB

Download
memory/1852-13-0x000000001BB90000-0x000000001BC42000-memory.dmp

Filesize
712KB

Download
memory/1852-14-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/2676-0-0x00007FFBE16B3000-0x00007FFBE16B5000-memory.dmp

Filesize
8KB

Download
memory/2676-1-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/2676-2-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download
memory/2676-9-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads