quasar | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

Resubmissions

09-02-2025 17:26

250209-vzvbzaxpck 10

09-02-2025 17:22

09-02-2025 16:34

09-02-2025 16:32

27-01-2025 22:33

27-01-2025 22:28

27-01-2025 22:21

Analysis

max time kernel
230s
max time network
252s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-01-2025 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe.zip
Size

1KB
MD5

0206983f12db26f622bbe73b165f126f
SHA1

e71f9fc602245a337f728e27917b0b716d3828f9
SHA256

6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
SHA512

296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Score

10^/10

quasar vidar xworm office04 powerstealer prudabackend defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes

encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
install_name
powerstealer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

100.108.37.105:4444

127.0.0.1:4444

Mutex

95a85978-c10d-4a09-935b-c02a2a18a609

Attributes

encryption_key
6FDAA03D192B9C03BF83E41A8BBF78996D321E27
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

45.141.26.234:7000

Attributes

Install_directory
%ProgramData%
install_file
Java Update(32bit).exe

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0003000000044fb9-39.dat	family_vidar_v7
behavioral2/memory/2148-48-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/files/0x0027000000046007-58.dat	family_vidar_v7
behavioral2/memory/232-59-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2148-89-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/232-123-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x002900000004626b-149.dat	family_xworm
behavioral2/memory/2768-159-0x0000000000EE0000-0x0000000000EF8000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral2/files/0x0004000000044d95-7.dat	family_quasar
behavioral2/memory/1996-19-0x0000000000F50000-0x0000000001274000-memory.dmp	family_quasar
behavioral2/files/0x0002000000044f02-24.dat	family_quasar
behavioral2/memory/2232-34-0x00000000009F0000-0x0000000000D1A000-memory.dmp	family_quasar
behavioral2/files/0x0028000000046276-71.dat	family_quasar
behavioral2/memory/2564-81-0x0000000000AA0000-0x0000000000DC4000-memory.dmp	family_quasar
behavioral2/files/0x0028000000046279-93.dat	family_quasar
behavioral2/memory/496-113-0x00000000005E0000-0x0000000000904000-memory.dmp	family_quasar

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3952	powershell.exe
2816	powershell.exe
2584	powershell.exe
3432	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 7 IoCs

flow	pid	Process
50	272	New Text Document.exe
60	272	New Text Document.exe
100	272	New Text Document.exe
53	272	New Text Document.exe
53	272	New Text Document.exe
64	272	New Text Document.exe
105	272	New Text Document.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4680	netsh.exe
1088	netsh.exe
2180	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	e.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk	e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk	e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe	server.exe

Executes dropped EXE 15 IoCs

pid	Process
1996	updater.exe
2232	Discord.exe
1312	update.exe
2148	noyjhoadw.exe
232	build.exe
1568	powerstealer.exe
2564	fag3.exe
496	fag.exe
1308	Server.exe
376	server.exe
1524	StUpdate.exe
2768	e.exe
4552	payload.exe
3520	abc.exe
2744	StUpdate.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update(32bit) = "C:\\ProgramData\\Java Update(32bit).exe"	e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
112	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	updater.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noyjhoadw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe
3660	schtasks.exe
2532	schtasks.exe
2544	schtasks.exe
4476	schtasks.exe
4448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
376	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	272	New Text Document.exe
Token: SeDebugPrivilege	1996	updater.exe
Token: SeDebugPrivilege	2232	Discord.exe
Token: SeDebugPrivilege	1312	update.exe
Token: SeDebugPrivilege	1568	powerstealer.exe
Token: SeDebugPrivilege	2564	fag3.exe
Token: SeDebugPrivilege	496	fag.exe
Token: SeDebugPrivilege	376	server.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: SeDebugPrivilege	2768	e.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeIncreaseQuotaPrivilege	3432	powershell.exe
Token: SeSecurityPrivilege	3432	powershell.exe
Token: SeTakeOwnershipPrivilege	3432	powershell.exe
Token: SeLoadDriverPrivilege	3432	powershell.exe
Token: SeSystemProfilePrivilege	3432	powershell.exe
Token: SeSystemtimePrivilege	3432	powershell.exe
Token: SeProfSingleProcessPrivilege	3432	powershell.exe
Token: SeIncBasePriorityPrivilege	3432	powershell.exe
Token: SeCreatePagefilePrivilege	3432	powershell.exe
Token: SeBackupPrivilege	3432	powershell.exe
Token: SeRestorePrivilege	3432	powershell.exe
Token: SeShutdownPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeSystemEnvironmentPrivilege	3432	powershell.exe
Token: SeRemoteShutdownPrivilege	3432	powershell.exe
Token: SeUndockPrivilege	3432	powershell.exe
Token: SeManageVolumePrivilege	3432	powershell.exe
Token: 33	3432	powershell.exe
Token: 34	3432	powershell.exe
Token: 35	3432	powershell.exe
Token: 36	3432	powershell.exe
Token: 33	376	server.exe
Token: SeIncBasePriorityPrivilege	376	server.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeIncreaseQuotaPrivilege	3952	powershell.exe
Token: SeSecurityPrivilege	3952	powershell.exe
Token: SeTakeOwnershipPrivilege	3952	powershell.exe
Token: SeLoadDriverPrivilege	3952	powershell.exe
Token: SeSystemProfilePrivilege	3952	powershell.exe
Token: SeSystemtimePrivilege	3952	powershell.exe
Token: SeProfSingleProcessPrivilege	3952	powershell.exe
Token: SeIncBasePriorityPrivilege	3952	powershell.exe
Token: SeCreatePagefilePrivilege	3952	powershell.exe
Token: SeBackupPrivilege	3952	powershell.exe
Token: SeRestorePrivilege	3952	powershell.exe
Token: SeShutdownPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeSystemEnvironmentPrivilege	3952	powershell.exe
Token: SeRemoteShutdownPrivilege	3952	powershell.exe
Token: SeUndockPrivilege	3952	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	fag3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2564	fag3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1312	update.exe
1568	powerstealer.exe
2768	e.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1996	272	New Text Document.exe	106
PID 272 wrote to memory of 1996	272	New Text Document.exe	106
PID 272 wrote to memory of 2232	272	New Text Document.exe	107
PID 272 wrote to memory of 2232	272	New Text Document.exe	107
PID 1996 wrote to memory of 2532	1996	updater.exe	108
PID 1996 wrote to memory of 2532	1996	updater.exe	108
PID 1996 wrote to memory of 1312	1996	updater.exe	110
PID 1996 wrote to memory of 1312	1996	updater.exe	110
PID 272 wrote to memory of 2148	272	New Text Document.exe	111
PID 272 wrote to memory of 2148	272	New Text Document.exe	111
PID 272 wrote to memory of 2148	272	New Text Document.exe	111
PID 1312 wrote to memory of 2544	1312	update.exe	112
PID 1312 wrote to memory of 2544	1312	update.exe	112
PID 2232 wrote to memory of 4476	2232	Discord.exe	114
PID 2232 wrote to memory of 4476	2232	Discord.exe	114
PID 272 wrote to memory of 232	272	New Text Document.exe	116
PID 272 wrote to memory of 232	272	New Text Document.exe	116
PID 272 wrote to memory of 232	272	New Text Document.exe	116
PID 2232 wrote to memory of 1568	2232	Discord.exe	117
PID 2232 wrote to memory of 1568	2232	Discord.exe	117
PID 1568 wrote to memory of 4448	1568	powerstealer.exe	118
PID 1568 wrote to memory of 4448	1568	powerstealer.exe	118
PID 272 wrote to memory of 2564	272	New Text Document.exe	121
PID 272 wrote to memory of 2564	272	New Text Document.exe	121
PID 272 wrote to memory of 496	272	New Text Document.exe	122
PID 272 wrote to memory of 496	272	New Text Document.exe	122
PID 272 wrote to memory of 1308	272	New Text Document.exe	123
PID 272 wrote to memory of 1308	272	New Text Document.exe	123
PID 272 wrote to memory of 1308	272	New Text Document.exe	123
PID 1308 wrote to memory of 376	1308	Server.exe	124
PID 1308 wrote to memory of 376	1308	Server.exe	124
PID 1308 wrote to memory of 376	1308	Server.exe	124
PID 376 wrote to memory of 4680	376	server.exe	125
PID 376 wrote to memory of 4680	376	server.exe	125
PID 376 wrote to memory of 4680	376	server.exe	125
PID 376 wrote to memory of 1088	376	server.exe	127
PID 376 wrote to memory of 1088	376	server.exe	127
PID 376 wrote to memory of 1088	376	server.exe	127
PID 376 wrote to memory of 2180	376	server.exe	128
PID 376 wrote to memory of 2180	376	server.exe	128
PID 376 wrote to memory of 2180	376	server.exe	128
PID 376 wrote to memory of 4484	376	server.exe	130
PID 376 wrote to memory of 4484	376	server.exe	130
PID 376 wrote to memory of 4484	376	server.exe	130
PID 272 wrote to memory of 2768	272	New Text Document.exe	137
PID 272 wrote to memory of 2768	272	New Text Document.exe	137
PID 272 wrote to memory of 4552	272	New Text Document.exe	138
PID 272 wrote to memory of 4552	272	New Text Document.exe	138
PID 272 wrote to memory of 3520	272	New Text Document.exe	139
PID 272 wrote to memory of 3520	272	New Text Document.exe	139
PID 2768 wrote to memory of 3432	2768	e.exe	140
PID 2768 wrote to memory of 3432	2768	e.exe	140
PID 2768 wrote to memory of 3952	2768	e.exe	143
PID 2768 wrote to memory of 3952	2768	e.exe	143
PID 2768 wrote to memory of 2816	2768	e.exe	145
PID 2768 wrote to memory of 2816	2768	e.exe	145
PID 2768 wrote to memory of 2584	2768	e.exe	147
PID 2768 wrote to memory of 2584	2768	e.exe	147
PID 2768 wrote to memory of 3660	2768	e.exe	149
PID 2768 wrote to memory of 3660	2768	e.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe.zip"
1⤵
PID:976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3824

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272
- C:\Users\Admin\Desktop\a\updater.exe
  "C:\Users\Admin\Desktop\a\updater.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2532
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2544
- C:\Users\Admin\Desktop\a\Discord.exe
  "C:\Users\Admin\Desktop\a\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4476
- - C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4448
- C:\Users\Admin\Desktop\a\noyjhoadw.exe
  "C:\Users\Admin\Desktop\a\noyjhoadw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Users\Admin\Desktop\a\build.exe
  "C:\Users\Admin\Desktop\a\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:232
- C:\Users\Admin\Desktop\a\fag3.exe
  "C:\Users\Admin\Desktop\a\fag3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2564
- C:\Users\Admin\Desktop\a\fag.exe
  "C:\Users\Admin\Desktop\a\fag.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:496
- C:\Users\Admin\Desktop\a\Server.exe
  "C:\Users\Admin\Desktop\a\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4680
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1088
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4484
- C:\Users\Admin\Desktop\a\e.exe
  "C:\Users\Admin\Desktop\a\e.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\a\e.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'e.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2584
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3660
- C:\Users\Admin\Desktop\a\payload.exe
  "C:\Users\Admin\Desktop\a\payload.exe"
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Users\Admin\Desktop\a\abc.exe
  "C:\Users\Admin\Desktop\a\abc.exe"
  2⤵
  - Executes dropped EXE
  PID:3520

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
"C:\Users\Admin\AppData\Local\Temp/StUpdate.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
345B

MD5
7edbce9b8d730aab97bad5fb0fd94c80

SHA1
7201189c4ed6f6c0395c6e72ab100633b8257a0c

SHA256
c8b0d844bd3624524a1f4682797bf3db7f96057707c038345f925abdcb719fae

SHA512
6dddab7ae53df794df1613befa618a5b76d00d170074741df7d6cda43b0dc47051b50673ba5454a2a30ce5be6f81f21f0a3d973e2a819c8f18d60394a23c26a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a05b2100c6652100ef647e108141d531

SHA1
049acff41a42fc2267889517f6e3a1c10a2fde4d

SHA256
cbee2e39b9fea62e26c4c35739e1688dd45284d6504d14d8e2954d6d706d03d6

SHA512
291cf915ca11e7ac852e20ed1ab17a0c837606bdea82783828123a1baa106f2e247d917113f2fdf6f8f4fe4827548b6a68a5a73eb5001bc7f7edbbe02cae2fbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BB6ABD5C8B98473A20C12EFFB847B7E2

Filesize
540B

MD5
8bc0eecf4fb33c7cddd9a55f3725feda

SHA1
59d235d07ea4f43af0d3c5953609add44193c298

SHA256
f08c0403550daff99770e8dc8e9e28c0b8f3dd4d572014ade492453ea791fadb

SHA512
f226fb265234e83e33bd446de68e2b1cccb586dc6b30013e0dca953199dd4cd52c1803f786386fed46f408daeaf1561a9a554b7117b1f8074c1f74168f5bf56e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
11c924dd7e95b6c1243d3dc6a6cda57d

SHA1
dc5becbb4ba7c94037c13de7163b541f4dfe0b7b

SHA256
18ebe71e164d362b1c0464dda0cb3269b2940c40abd588bde37d92c81263ba52

SHA512
dd021f43ce21d1fb35119fa9303b09281365ca676b6e944de844b397dd407cee9b17b740220bb09d024ffb6e1acf45d4c41ea4101e6cb011f7a1fa9cbf8e2432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
841f16c5b3313d1b894cfac78f413981

SHA1
0dcc4f0bbd91f2159305963df27ff3e51227e801

SHA256
1d09d2b4517438228149bc6a0c289972c29cb5b0321db55cedbfa870896bda1d

SHA512
76a4fbabdafbbc014f709ffd2ad5d1579657f46fc4a053ea854362176319cbbfe3d7a6a3b2c8c9d2cdb738055d2201e47f5ca2ef5f0b5f1ed484465b9986d452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f46bb45cb2408d57b5e249ba7746d46

SHA1
2622b32a860e08c81fa307dd0c23e1b263e6659a

SHA256
c6460b42b63742bd1a257ebb3c9cfedc5b05df8fa95a048954e4e0430584c323

SHA512
dd12551ba7c6db774016b86cea733ff3563c5523a5029b1095dc90238b2d381f05612b32915ddc4f5ac8a7c56fb02d8becf00b092612954192784ff38568f9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_113xbl1g.mnk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
c60feebd511c87b86dea130692995a0f

SHA1
d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

SHA256
632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

SHA512
bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

Download Submit
C:\Users\Admin\Desktop\a\Discord.exe

Filesize
3.1MB

MD5
bedd5e5f44b78c79f93e29dc184cfa3d

SHA1
11e7e692b9a6b475f8561f283b2dd59c3cd19bfd

SHA256
e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c

SHA512
3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

Download Submit
C:\Users\Admin\Desktop\a\Server.exe

Filesize
93KB

MD5
a9ba2416df448c5f3b36581ecfa4cd31

SHA1
105592c84c83cbf4e6f7b6978ecb6d37c99440b7

SHA256
b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf

SHA512
456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3

Download Submit
C:\Users\Admin\Desktop\a\abc.exe

Filesize
840KB

MD5
d0f7b322f84f6f8af04ceb66565cabcd

SHA1
5fd0e27ea2355d7bb8038883ea8bdea706993d88

SHA256
522c13c5a1b5d176d21f9590dd649fb0b621eeaea9ad580e460724ceda4b954a

SHA512
dd0c683b8ca85b363a8328c92b5dfb4647383273e3760b01dc066af06da557107a66f11eaf76b9d234721847dc8b8a9aeada33cef383165cc9a9508c49fa0ac0

Download Submit
C:\Users\Admin\Desktop\a\build.exe

Filesize
119KB

MD5
08388bb4894c71e7b1be4bad966c3824

SHA1
7437ac98f08fc41283b900aa6fb0ae350d59dd6c

SHA256
986a98dc33a925fa232e1e5311807c7681cad9e0f07957d81e4f2f8257503f9c

SHA512
2adf5154e7dca7de1fcf12560c97f1b74e66fb3c5074d8fa9d29dd9da91a1314f9fc18270808c12364c4941a6a2346109824bd4c625df905f9be84af393934b3

Download Submit
C:\Users\Admin\Desktop\a\e.exe

Filesize
73KB

MD5
09534368a2ac076690545dd84d2c9a68

SHA1
a8d176358c822c15a2d01f179b010bf1ea07148c

SHA256
e3545abe551c3441e672ed8e5fdb4b33c1221cdaca3bcda9e2137cec00e8d61f

SHA512
9039660b2b310eb2851e49c34f44bd1709eb23f33acd2aee9818c63db4570b7b8356b9916516568759cf148a370bbd33024649f025bcaba81621eaaef123c856

Download Submit
C:\Users\Admin\Desktop\a\fag.exe

Filesize
3.1MB

MD5
814d032273cdbdc32dc6a232c108129f

SHA1
bd4b3bea0d543dd287fd952a5ae053f649f11fe4

SHA256
95e8911b88b45f18c2f415df69166ea5dadc1af3ee4ed79d42ca31dc812c4043

SHA512
1aca47dc3e839f192a0c51c396f1596f03a843c88883a6d4be02ce55647585d6a98e8ed215872661dbe412d9095eabf334fec5545a4a1dcf75a3ebe48dd2cbbf

Download Submit
C:\Users\Admin\Desktop\a\fag3.exe

Filesize
3.1MB

MD5
6b6cd0ace200ae15a3c40568bd516739

SHA1
c17c2dae1f9d4a3268f51ba9acf2095171408621

SHA256
9746060c7d36d8675945405b0c1928fb6bbcfe1bbac0f4c3247bd245ac6c4271

SHA512
4330446f193832bc3cdba0461df477ed7b27af44cce83daa7bf4c46afacee37b8e5ce7191573b23604efbeef66b2ed763adc156303e3e3927e1fc315ba22b1cd

Download Submit
C:\Users\Admin\Desktop\a\noyjhoadw.exe

Filesize
119KB

MD5
65cc23e7237f3cff2d206a269793772e

SHA1
fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd

SHA256
a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb

SHA512
7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

Download Submit
C:\Users\Admin\Desktop\a\payload.exe

Filesize
539KB

MD5
abc7fb9618f2ee1c90aabc6156ff11ce

SHA1
8b2d741632c0a65a7a64b3a3e6670835cf74eef6

SHA256
3e9a60d5f6174bb1f1c973e9466f3e70c74c771043ee00688e50cac5e8efe185

SHA512
b457cb6eac3359f211b9f1f0aaec5f786cb0abb5f529f05ab8b6a76c750400d196f866b16a9908a052baeabe2c6f49e307df7b86568c46051472b944481b8448

Download Submit
C:\Users\Admin\Desktop\a\updater.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
memory/232-59-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/232-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/272-109-0x00007FFDD5290000-0x00007FFDD5D52000-memory.dmp

Filesize
10.8MB

Download
memory/272-1-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/272-87-0x00007FFDD5293000-0x00007FFDD5295000-memory.dmp

Filesize
8KB

Download
memory/272-2-0x00007FFDD5290000-0x00007FFDD5D52000-memory.dmp

Filesize
10.8MB

Download
memory/272-0-0x00007FFDD5293000-0x00007FFDD5295000-memory.dmp

Filesize
8KB

Download
memory/496-113-0x00000000005E0000-0x0000000000904000-memory.dmp

Filesize
3.1MB

Download
memory/1312-66-0x000000001C820000-0x000000001C85C000-memory.dmp

Filesize
240KB

Download
memory/1312-65-0x000000001B2A0000-0x000000001B2B2000-memory.dmp

Filesize
72KB

Download
memory/1312-64-0x000000001C8A0000-0x000000001C952000-memory.dmp

Filesize
712KB

Download
memory/1312-63-0x000000001B250000-0x000000001B2A0000-memory.dmp

Filesize
320KB

Download
memory/1996-19-0x0000000000F50000-0x0000000001274000-memory.dmp

Filesize
3.1MB

Download
memory/2148-48-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2148-89-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2232-34-0x00000000009F0000-0x0000000000D1A000-memory.dmp

Filesize
3.2MB

Download
memory/2564-81-0x0000000000AA0000-0x0000000000DC4000-memory.dmp

Filesize
3.1MB

Download
memory/2768-159-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/3432-193-0x00000203F0450000-0x00000203F0472000-memory.dmp

Filesize
136KB

Download