quasar | 874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

General

Target

874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe
Size

3.1MB
MD5

c965446805dc5c40e1bffe859716bea7
SHA1

7d6b257f8f830f512552bd11b36bb1fc88a1e966
SHA256

874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5
SHA512

157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b
SSDEEP

49152:bv1I22SsaNYfdPBldt698dBcjHQFwGSBe1LoLdfTHHB72eh2NT:bve22SsaNYfdPBldt6+dBcjH5GD

Score

10^/10

quasar prudabackend spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

C2

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2588-1-0x0000000000B10000-0x0000000000E34000-memory.dmp	family_quasar
behavioral1/files/0x0007000000012117-6.dat	family_quasar
behavioral1/memory/2792-9-0x0000000001150000-0x0000000001474000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2792	update.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\update.exe	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe
File opened for modification	C:\Windows\system32\update.exe	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe
File opened for modification	C:\Windows\system32\update.exe	update.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2064	schtasks.exe
2760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe
Token: SeDebugPrivilege	2792	update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	update.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2064	2588	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe	30
PID 2588 wrote to memory of 2064	2588	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe	30
PID 2588 wrote to memory of 2064	2588	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe	30
PID 2588 wrote to memory of 2792	2588	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe	32
PID 2588 wrote to memory of 2792	2588	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe	32
PID 2588 wrote to memory of 2792	2588	874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe	32
PID 2792 wrote to memory of 2760	2792	update.exe	33
PID 2792 wrote to memory of 2760	2792	update.exe	33
PID 2792 wrote to memory of 2760	2792	update.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe
"C:\Users\Admin\AppData\Local\Temp\874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2064
- C:\Windows\system32\update.exe
  "C:\Windows\system32\update.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\update.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
memory/2588-0-0x000007FEF64F3000-0x000007FEF64F4000-memory.dmp

Filesize
4KB

Download
memory/2588-1-0x0000000000B10000-0x0000000000E34000-memory.dmp

Filesize
3.1MB

Download
memory/2588-2-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2588-8-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-9-0x0000000001150000-0x0000000001474000-memory.dmp

Filesize
3.1MB

Download
memory/2792-11-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-10-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-12-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-13-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads