quasar | 6f8f3587f197afafce54790a5f61cc59790352f48e9ed2b7b282414f92be321c

Resubmissions

05-02-2025 00:08

250205-afas1a1khq 10

05-02-2025 00:03

250205-acac3ayqet 10

Analysis

max time kernel
95s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

extracted_payload.exe
Size

5.8MB
MD5

410e19496641d191d18eec16c6addd87
SHA1

e007c3b22e3aade86364cc8e960062194c0c2883
SHA256

6f8f3587f197afafce54790a5f61cc59790352f48e9ed2b7b282414f92be321c
SHA512

32e8b7216df74fb36cbbb0bcb6bd6c7b89e82b725a4c777e5bd62e2084e67c66324acfc3ee0638814625ef2b87500680385a136e2f676581ba30d678063879ff
SSDEEP

98304:qVzA+NolR3oceUQ1spbvuKSUJ17LrbH4q8y1iYVk1OUkh54oZdxkOHYSM:6PNO3K1spbmxcrbH4a1iYVk1O15DUC

Score

10^/10

quasar seroxen v15.0 | fifa23 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.0 | Fifa23

private123.duckdns.org:8808

dofucks.com:8808

Mutex

c398e98c-136e-4007-ab40-e179829f338c

Attributes

encryption_key
C84CB6134701741C5122A14FACDB67C8CFA9C0AB
install_name
.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$sxr-seroxen

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/1056-17-0x000000001BAB0000-0x000000001C478000-memory.dmp	family_quasar

Seroxen family
seroxen
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
trojan seroxen

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1056 created 616	1056	extracted_payload.exe	5

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 2792	1056	extracted_payload.exe	88

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen.bat	extracted_payload.exe
File opened for modification	C:\Windows\$sxr-seroxen.bat	extracted_payload.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1056	extracted_payload.exe
1056	extracted_payload.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe
2792	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	extracted_payload.exe
Token: SeDebugPrivilege	1056	extracted_payload.exe
Token: SeDebugPrivilege	2792	dllhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2792	1056	extracted_payload.exe	88
PID 1056 wrote to memory of 2628	1056	extracted_payload.exe	89
PID 1056 wrote to memory of 2628	1056	extracted_payload.exe	89

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4a9c6224-3a3c-415a-b1e9-d556d963548c}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792

C:\Users\Admin\AppData\Local\Temp\extracted_payload.exe
"C:\Users\Admin\AppData\Local\Temp\extracted_payload.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cd C:\Windows\ & $sxr-seroxen.bat
  2⤵
  PID:2628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iv.txt

Filesize
24B

MD5
e06c2da1739df03712096fbb78b1bed5

SHA1
2dc45be4ae3b47e264141b02b8bf9b45d53d9590

SHA256
743cfc8a6f274067cb1a19a508e5f578cf3c6a6c8d57c908610b26d4af93313e

SHA512
670837bf8afa5d56c8b955f684f62898af4aa3869b1ca86a738db6f5a3d454b79dd15df10340e796e481a883b304d01c99d83c93992fd37bf688168f8c86e0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.txt

Filesize
44B

MD5
d517f9b6e102c7cca582ef522f2c9b67

SHA1
7113043b1a9805837545b1b7454f147005dc665c

SHA256
2ea4ee184c909d5c2df4e4b2865b853ef8ec8c9f023972073cb8cfb66a35a72f

SHA512
898fec6cf9f8804c5c37da77f82917640555339bc1242473006f30c5a3e06b1c0a72527b06c6803be553160235004bac5b7d9a84993af5f30f89bd9fd1dbe5a8

Download Submit
C:\Windows\$sxr-seroxen.bat

Filesize
5.8MB

MD5
410e19496641d191d18eec16c6addd87

SHA1
e007c3b22e3aade86364cc8e960062194c0c2883

SHA256
6f8f3587f197afafce54790a5f61cc59790352f48e9ed2b7b282414f92be321c

SHA512
32e8b7216df74fb36cbbb0bcb6bd6c7b89e82b725a4c777e5bd62e2084e67c66324acfc3ee0638814625ef2b87500680385a136e2f676581ba30d678063879ff

Download Submit
memory/1056-20-0x00007FF854D70000-0x00007FF854E2E000-memory.dmp

Filesize
760KB

Download
memory/1056-16-0x00007FF836C60000-0x00007FF837721000-memory.dmp

Filesize
10.8MB

Download
memory/1056-17-0x000000001BAB0000-0x000000001C478000-memory.dmp

Filesize
9.8MB

Download
memory/1056-18-0x000000001C7D0000-0x000000001C8F6000-memory.dmp

Filesize
1.1MB

Download
memory/1056-19-0x00007FF8552D0000-0x00007FF8554C5000-memory.dmp

Filesize
2.0MB

Download
memory/1056-0-0x00007FF836C63000-0x00007FF836C65000-memory.dmp

Filesize
8KB

Download
memory/1056-1-0x00000000005C0000-0x0000000000B90000-memory.dmp

Filesize
5.8MB

Download
memory/1056-29-0x00007FF836C60000-0x00007FF837721000-memory.dmp

Filesize
10.8MB

Download
memory/2792-21-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2792-23-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2792-26-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2792-22-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2792-28-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download