quasar | 22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50

General

Target

wefudoneset.exe
Size

3.1MB
MD5

06838ba1d6af1ff162f4bf79e8f7e451
SHA1

1cf5196a0436fed50538a2bfef6cb14e1f8e30ed
SHA256

22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50
SHA512

e87ca2bf97c7d4d1a4e0857d75a40bd30e009fafdbcd70a905f1818994afd3694abc6680f89c127b8d7a965dd12420d097ac1371da575cfe0872f303a1735c68
SSDEEP

49152:8d9yr29T0PwfnBP6RTgxLul5XHpTTHHB72eh2NT:8dC29TffnB1xLw

Score

10^/10

quasar 1321 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0

Botnet

1321

C2

127.0.0.1:7000

Mutex

b8169f21-b1ab-4cdd-89e8-040d5b4d2b12

Attributes

encryption_key
14277F7D27CB958C695738C76EE5FBECE431CF60
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/5316-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3264	PING.EXE
5540	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3264	PING.EXE
5540	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5316	wefudoneset.exe
5316	wefudoneset.exe
4856	wefudoneset.exe
4856	wefudoneset.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5316	wefudoneset.exe
Token: SeDebugPrivilege	4856	wefudoneset.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5316 wrote to memory of 4652	5316	wefudoneset.exe	77
PID 5316 wrote to memory of 4652	5316	wefudoneset.exe	77
PID 4652 wrote to memory of 5848	4652	cmd.exe	79
PID 4652 wrote to memory of 5848	4652	cmd.exe	79
PID 4652 wrote to memory of 3264	4652	cmd.exe	80
PID 4652 wrote to memory of 3264	4652	cmd.exe	80
PID 4652 wrote to memory of 4856	4652	cmd.exe	81
PID 4652 wrote to memory of 4856	4652	cmd.exe	81
PID 4856 wrote to memory of 1016	4856	wefudoneset.exe	82
PID 4856 wrote to memory of 1016	4856	wefudoneset.exe	82
PID 1016 wrote to memory of 4876	1016	cmd.exe	84
PID 1016 wrote to memory of 4876	1016	cmd.exe	84
PID 1016 wrote to memory of 5540	1016	cmd.exe	85
PID 1016 wrote to memory of 5540	1016	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
"C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LR4UITrEnBN1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5848
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
    "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tewniu8Hj9N9.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4876
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wefudoneset.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\LR4UITrEnBN1.bat

Filesize
208B

MD5
f8b0575716bd29835f9027b2a9d90c3a

SHA1
3c5fea7eff9d3992d52e6df239cebacb02363978

SHA256
b13dca3e87328f27106736ccfdd166d0d4a6362347d97d072484c40d9b7d75fc

SHA512
6d0ae250395e499a79442c4ad60ce5502a70064586379cc2dce38ef09eb1696a7b34c219eb9ca38795af191db7d87aed1d2ae697d5e7518c8df0687884e40689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tewniu8Hj9N9.bat

Filesize
208B

MD5
268cddce97b699baab34d346e79e2eb8

SHA1
d1df911d4969186b0b9feebde7980d651b78cb0c

SHA256
c0c9047545701c49249ee40a52481e15660fceab48d1cd36af426e5e0341251d

SHA512
db163a39fee4caa76991ad5c3c1d1812ca676c2e813354fc26453a70b1236077cc47aadff85ec39f6e9332d0d03a865ff928d6b6c98f8619b67f989b1b7d9a10

Download Submit
memory/4856-10-0x00007FFC57630000-0x00007FFC580F2000-memory.dmp

Filesize
10.8MB

Download
memory/4856-14-0x00007FFC57630000-0x00007FFC580F2000-memory.dmp

Filesize
10.8MB

Download
memory/5316-0-0x00007FFC57633000-0x00007FFC57635000-memory.dmp

Filesize
8KB

Download
memory/5316-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/5316-2-0x00007FFC57630000-0x00007FFC580F2000-memory.dmp

Filesize
10.8MB

Download
memory/5316-7-0x00007FFC57630000-0x00007FFC580F2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing