quasar | 705a6a49aa16e995ea92d6f866a61c5d4e7b9eb4ec9986af35ce5b488c45fbb9

General

Target

Client-built.exe
Size

3.1MB
MD5

9f21cf43d032fc842837ef4b192140aa
SHA1

20464f746717ef1d9e7d4424a489bb07f9e0fc43
SHA256

705a6a49aa16e995ea92d6f866a61c5d4e7b9eb4ec9986af35ce5b488c45fbb9
SHA512

30ebc041afb9ca8990787a60bb3be189926e61c42897e99dd1b1a05a87a1a1679c0a60466670e3be0bf485d5aadf5898e993e1b883cdd924d7bfec56b0f9ad6f
SSDEEP

49152:CvIt62XlaSFNWPjljiFa2RoUYIL5zapoGBXTHHB72eh2NT:CvE62XlaSFNWPjljiFXRoUYIL5z2

Score

10^/10

quasar client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Client

C2

45.202.32.36:1111

Mutex

30f39ce2-55fb-4edc-9531-3fb9e6ba4912

Attributes

encryption_key
9ABAA568E3BFACC1828658EB883F521748218E8E
install_name
Updaterr.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Updater
subdirectory
Discord

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4392-1-0x0000000000020000-0x0000000000344000-memory.dmp	family_quasar
behavioral1/files/0x001d00000002aab2-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3780	Updaterr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
556	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
556	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
680	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	Client-built.exe
Token: SeDebugPrivilege	3780	Updaterr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 680	4392	Client-built.exe	77
PID 4392 wrote to memory of 680	4392	Client-built.exe	77
PID 4392 wrote to memory of 3780	4392	Client-built.exe	79
PID 4392 wrote to memory of 3780	4392	Client-built.exe	79
PID 3780 wrote to memory of 2252	3780	Updaterr.exe	80
PID 3780 wrote to memory of 2252	3780	Updaterr.exe	80
PID 3780 wrote to memory of 2220	3780	Updaterr.exe	83
PID 3780 wrote to memory of 2220	3780	Updaterr.exe	83
PID 3780 wrote to memory of 488	3780	Updaterr.exe	85
PID 3780 wrote to memory of 488	3780	Updaterr.exe	85
PID 488 wrote to memory of 1060	488	cmd.exe	87
PID 488 wrote to memory of 1060	488	cmd.exe	87
PID 488 wrote to memory of 556	488	cmd.exe	88
PID 488 wrote to memory of 556	488	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Discord\Updaterr.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:680
- C:\Users\Admin\AppData\Roaming\Discord\Updaterr.exe
  "C:\Users\Admin\AppData\Roaming\Discord\Updaterr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Discord\Updaterr.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2252
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "Updater" /f
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RHUzqXJ10k25.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1060
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RHUzqXJ10k25.bat

Filesize
214B

MD5
33f91adf743d1390d1f96f0f5a2be064

SHA1
4d3533a7155f41e5fec43e47c233951cbfb33102

SHA256
43f733ec96b280dc60018d3dbf4a61ebe6e3b208fe0605205dcd2a23f309f033

SHA512
c9e796ac630d6ff35b0f71d699da1d2f0be2d3fbe5f50df821abce6f10e21ca8ceeaf2d62a53eadb07671352926c356f4036eb2aa5b98b82f6c7577fe7868964

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\Updaterr.exe

Filesize
3.1MB

MD5
9f21cf43d032fc842837ef4b192140aa

SHA1
20464f746717ef1d9e7d4424a489bb07f9e0fc43

SHA256
705a6a49aa16e995ea92d6f866a61c5d4e7b9eb4ec9986af35ce5b488c45fbb9

SHA512
30ebc041afb9ca8990787a60bb3be189926e61c42897e99dd1b1a05a87a1a1679c0a60466670e3be0bf485d5aadf5898e993e1b883cdd924d7bfec56b0f9ad6f

Download Submit
memory/3780-11-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/3780-9-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/3780-12-0x0000000002580000-0x00000000025D0000-memory.dmp

Filesize
320KB

Download
memory/3780-13-0x000000001B790000-0x000000001B842000-memory.dmp

Filesize
712KB

Download
memory/3780-16-0x000000001B0F0000-0x000000001B102000-memory.dmp

Filesize
72KB

Download
memory/3780-17-0x000000001B150000-0x000000001B18C000-memory.dmp

Filesize
240KB

Download
memory/3780-18-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/3780-23-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/4392-2-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/4392-10-0x00007FFF55630000-0x00007FFF560F2000-memory.dmp

Filesize
10.8MB

Download
memory/4392-0-0x00007FFF55633000-0x00007FFF55635000-memory.dmp

Filesize
8KB

Download
memory/4392-1-0x0000000000020000-0x0000000000344000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads