quasar | 6f8f3587f197afafce54790a5f61cc59790352f48e9ed2b7b282414f92be321c

Resubmissions

05-02-2025 00:08

250205-afas1a1khq 10

05-02-2025 00:03

250205-acac3ayqet 10

Analysis

max time kernel
93s
max time network
139s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-02-2025 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

extracted_payload.exe
Size

5.8MB
MD5

410e19496641d191d18eec16c6addd87
SHA1

e007c3b22e3aade86364cc8e960062194c0c2883
SHA256

6f8f3587f197afafce54790a5f61cc59790352f48e9ed2b7b282414f92be321c
SHA512

32e8b7216df74fb36cbbb0bcb6bd6c7b89e82b725a4c777e5bd62e2084e67c66324acfc3ee0638814625ef2b87500680385a136e2f676581ba30d678063879ff
SSDEEP

98304:qVzA+NolR3oceUQ1spbvuKSUJ17LrbH4q8y1iYVk1OUkh54oZdxkOHYSM:6PNO3K1spbmxcrbH4a1iYVk1O15DUC

Score

10^/10

quasar seroxen v15.0 | fifa23 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.0 | Fifa23

private123.duckdns.org:8808

dofucks.com:8808

Mutex

c398e98c-136e-4007-ab40-e179829f338c

Attributes

encryption_key
C84CB6134701741C5122A14FACDB67C8CFA9C0AB
install_name
.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$sxr-seroxen

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1268-17-0x000000001BF60000-0x000000001C928000-memory.dmp	family_quasar

Seroxen family
seroxen
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
trojan seroxen

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1268 created 612	1268	extracted_payload.exe	5

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 3188	1268	extracted_payload.exe	89

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen.bat	extracted_payload.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1268	extracted_payload.exe
1268	extracted_payload.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	extracted_payload.exe
Token: SeDebugPrivilege	1268	extracted_payload.exe
Token: SeDebugPrivilege	3188	dllhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3188	1268	extracted_payload.exe	89
PID 1268 wrote to memory of 3712	1268	extracted_payload.exe	90
PID 1268 wrote to memory of 3712	1268	extracted_payload.exe	90

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ce0de8b0-485b-4a20-a33c-352a461f783d}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188

C:\Users\Admin\AppData\Local\Temp\extracted_payload.exe
"C:\Users\Admin\AppData\Local\Temp\extracted_payload.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cd C:\Windows\ & $sxr-seroxen.bat
  2⤵
  PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iv.txt

Filesize
24B

MD5
e06c2da1739df03712096fbb78b1bed5

SHA1
2dc45be4ae3b47e264141b02b8bf9b45d53d9590

SHA256
743cfc8a6f274067cb1a19a508e5f578cf3c6a6c8d57c908610b26d4af93313e

SHA512
670837bf8afa5d56c8b955f684f62898af4aa3869b1ca86a738db6f5a3d454b79dd15df10340e796e481a883b304d01c99d83c93992fd37bf688168f8c86e0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.txt

Filesize
44B

MD5
d517f9b6e102c7cca582ef522f2c9b67

SHA1
7113043b1a9805837545b1b7454f147005dc665c

SHA256
2ea4ee184c909d5c2df4e4b2865b853ef8ec8c9f023972073cb8cfb66a35a72f

SHA512
898fec6cf9f8804c5c37da77f82917640555339bc1242473006f30c5a3e06b1c0a72527b06c6803be553160235004bac5b7d9a84993af5f30f89bd9fd1dbe5a8

Download Submit
memory/1268-18-0x000000001CC30000-0x000000001CD56000-memory.dmp

Filesize
1.1MB

Download
memory/1268-1-0x0000000000900000-0x0000000000ED0000-memory.dmp

Filesize
5.8MB

Download
memory/1268-16-0x00007FFD82410000-0x00007FFD82ED2000-memory.dmp

Filesize
10.8MB

Download
memory/1268-17-0x000000001BF60000-0x000000001C928000-memory.dmp

Filesize
9.8MB

Download
memory/1268-0-0x00007FFD82413000-0x00007FFD82415000-memory.dmp

Filesize
8KB

Download
memory/1268-19-0x00007FFDA09F0000-0x00007FFDA0BE8000-memory.dmp

Filesize
2.0MB

Download
memory/1268-20-0x00007FFD9F9A0000-0x00007FFD9FA5D000-memory.dmp

Filesize
756KB

Download
memory/1268-26-0x00007FFD82410000-0x00007FFD82ED2000-memory.dmp

Filesize
10.8MB

Download
memory/3188-22-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3188-24-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3188-23-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3188-21-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3188-27-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download