quasar | 913818cbb566744d97334e44051152cba76e7f51e0ca0d54ea3d401e304480a3

General

Target

Windows-Defender-Secuirty.exe
Size

3.2MB
MD5

9ba5115936784f8cb9ac69bd61736c55
SHA1

dac63ba8cc947740f97d83d734eb6010a67e983c
SHA256

913818cbb566744d97334e44051152cba76e7f51e0ca0d54ea3d401e304480a3
SHA512

9628b5787262619bf752e66bbefd668ffde71036beb8672b4ec35c0cea5d37ce2b181e3a2c7ca56bacab4752516174ee72b917954d4dfe5790fe986da9b79d22
SSDEEP

49152:4vElL26AaNeWgPhlmVqvMQ7XSK4MR16tbR3NoGdq6THHB72eh2NT:4vkL26AaNeWgPhlmVqkQ7XSK4MR16Z

Score

10^/10

quasar minecraft spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Minecraft

C2

193.161.193.99:31740

Mutex

7424fadc-becc-4b4c-bea3-27b51a34ad76

Attributes

encryption_key
69C432FEA7A429312DD8D56BD03E551FF7516129
install_name
SecurityHealthManager.exe
log_directory
lom
reconnect_delay
3000
startup_key
SecurityHealthManager
subdirectory
Health

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1848-1-0x00000000000D0000-0x000000000040E000-memory.dmp	family_quasar
behavioral1/files/0x000700000001945c-6.dat	family_quasar
behavioral1/memory/2692-8-0x0000000000390000-0x00000000006CE000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2692	SecurityHealthManager.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2392	schtasks.exe
2816	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	Windows-Defender-Secuirty.exe
Token: SeDebugPrivilege	2692	SecurityHealthManager.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	SecurityHealthManager.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2692	SecurityHealthManager.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	SecurityHealthManager.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2392	1848	Windows-Defender-Secuirty.exe	30
PID 1848 wrote to memory of 2392	1848	Windows-Defender-Secuirty.exe	30
PID 1848 wrote to memory of 2392	1848	Windows-Defender-Secuirty.exe	30
PID 1848 wrote to memory of 2692	1848	Windows-Defender-Secuirty.exe	32
PID 1848 wrote to memory of 2692	1848	Windows-Defender-Secuirty.exe	32
PID 1848 wrote to memory of 2692	1848	Windows-Defender-Secuirty.exe	32
PID 2692 wrote to memory of 2816	2692	SecurityHealthManager.exe	33
PID 2692 wrote to memory of 2816	2692	SecurityHealthManager.exe	33
PID 2692 wrote to memory of 2816	2692	SecurityHealthManager.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows-Defender-Secuirty.exe
"C:\Users\Admin\AppData\Local\Temp\Windows-Defender-Secuirty.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "SecurityHealthManager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2392
- C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe
  "C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "SecurityHealthManager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2816

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe

Filesize
3.2MB

MD5
9ba5115936784f8cb9ac69bd61736c55

SHA1
dac63ba8cc947740f97d83d734eb6010a67e983c

SHA256
913818cbb566744d97334e44051152cba76e7f51e0ca0d54ea3d401e304480a3

SHA512
9628b5787262619bf752e66bbefd668ffde71036beb8672b4ec35c0cea5d37ce2b181e3a2c7ca56bacab4752516174ee72b917954d4dfe5790fe986da9b79d22

Download Submit
memory/1848-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1848-1-0x00000000000D0000-0x000000000040E000-memory.dmp

Filesize
3.2MB

Download
memory/1848-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-9-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-8-0x0000000000390000-0x00000000006CE000-memory.dmp

Filesize
3.2MB

Download
memory/2692-10-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-12-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads