quasar | 8d7559b7b2641f0eddca0905f3ebd59dbe93ebf5d44603227480fbcbe69ed82c

General

Target

Solara Executor.exe
Size

18.7MB
MD5

20f922eb17efc661c32b9af7123cc2e3
SHA1

cc225ff5794975e66fcbd7f6a6a0cf3c780fd488
SHA256

8d7559b7b2641f0eddca0905f3ebd59dbe93ebf5d44603227480fbcbe69ed82c
SHA512

6c332727ff87f432bd7b8f862e6155ff748d687a2da55726c1055f4b655d6ec43a4d3475a7f8be39302efe5905b5a8164bd8113598c1a0af5b85aa47071153fd
SSDEEP

192:8yihNYoCYedOzbD/kyL7F9DKCvzlKHmCYOF6Qb/:8hmoCJdOzbrkyF1RKGCLAk

Score

10^/10

quasar svhost32 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svhost32

C2

87.228.57.81:4782

Mutex

47b71fc0-b2c4-4112-b97a-39385a5399c1

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0007000000027dc1-50.dat	family_quasar
behavioral3/memory/2436-62-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
384	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
18	2604	Solara Executor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2994328021-2832906384-2448483822-1000\Control Panel\International\Geo\Nation	Solara Executor.exe

Executes dropped EXE 2 IoCs

pid	Process
2436	vzhtjpoev.exe
5024	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
17	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5044	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
384	powershell.exe
384	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	powershell.exe
Token: SeIncreaseQuotaPrivilege	384	powershell.exe
Token: SeSecurityPrivilege	384	powershell.exe
Token: SeTakeOwnershipPrivilege	384	powershell.exe
Token: SeLoadDriverPrivilege	384	powershell.exe
Token: SeSystemProfilePrivilege	384	powershell.exe
Token: SeSystemtimePrivilege	384	powershell.exe
Token: SeProfSingleProcessPrivilege	384	powershell.exe
Token: SeIncBasePriorityPrivilege	384	powershell.exe
Token: SeCreatePagefilePrivilege	384	powershell.exe
Token: SeBackupPrivilege	384	powershell.exe
Token: SeRestorePrivilege	384	powershell.exe
Token: SeShutdownPrivilege	384	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeSystemEnvironmentPrivilege	384	powershell.exe
Token: SeRemoteShutdownPrivilege	384	powershell.exe
Token: SeUndockPrivilege	384	powershell.exe
Token: SeManageVolumePrivilege	384	powershell.exe
Token: 33	384	powershell.exe
Token: 34	384	powershell.exe
Token: 35	384	powershell.exe
Token: 36	384	powershell.exe
Token: SeDebugPrivilege	2604	Solara Executor.exe
Token: SeDebugPrivilege	2436	vzhtjpoev.exe
Token: SeDebugPrivilege	5024	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	Client.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 384	2604	Solara Executor.exe	89
PID 2604 wrote to memory of 384	2604	Solara Executor.exe	89
PID 2604 wrote to memory of 384	2604	Solara Executor.exe	89
PID 2604 wrote to memory of 2436	2604	Solara Executor.exe	94
PID 2604 wrote to memory of 2436	2604	Solara Executor.exe	94
PID 2436 wrote to memory of 5044	2436	vzhtjpoev.exe	96
PID 2436 wrote to memory of 5044	2436	vzhtjpoev.exe	96
PID 2436 wrote to memory of 5024	2436	vzhtjpoev.exe	98
PID 2436 wrote to memory of 5024	2436	vzhtjpoev.exe	98
PID 5024 wrote to memory of 2576	5024	Client.exe	99
PID 5024 wrote to memory of 2576	5024	Client.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\almujjkf'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\almujjkf\vzhtjpoev.exe
  "C:\almujjkf\vzhtjpoev.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5044
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2yxhksx.n0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\almujjkf\vzhtjpoev.exe

Filesize
3.1MB

MD5
fbb44da2d0860af30fc45116529832df

SHA1
44377732b9959172cdb261d366069801adafd52a

SHA256
3dc3c88ce100a2f6d16e8c0fbd096b622810bb62dd6dcf5719c657254129ec31

SHA512
b1cdda7f3b67f1bedfbf896a4e7e8af0d12aa78a8709604d1262cc68ff0b0bdb3a326e7325075210f4d4e22e43fd7a7fa4bfbc90fc4c032bc3f3304f79157909

Download Submit
memory/384-33-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/384-41-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/384-34-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/384-5-0x0000000005450000-0x0000000005B1A000-memory.dmp

Filesize
6.8MB

Download
memory/384-6-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/384-8-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/384-7-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/384-9-0x0000000005B20000-0x0000000005E77000-memory.dmp

Filesize
3.3MB

Download
memory/384-2-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/384-19-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/384-20-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/384-21-0x00000000072D0000-0x0000000007302000-memory.dmp

Filesize
200KB

Download
memory/384-22-0x0000000070970000-0x00000000709BC000-memory.dmp

Filesize
304KB

Download
memory/384-32-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/384-4-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/384-44-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/384-3-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/384-36-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/384-37-0x0000000007660000-0x000000000767A000-memory.dmp

Filesize
104KB

Download
memory/384-38-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/384-35-0x0000000007510000-0x00000000075B3000-memory.dmp

Filesize
652KB

Download
memory/384-40-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/2436-60-0x00007FFD1FA83000-0x00007FFD1FA85000-memory.dmp

Filesize
8KB

Download
memory/2436-62-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/2604-39-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/2604-45-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/2604-1-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/2604-63-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/2604-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/5024-67-0x000000001D060000-0x000000001D112000-memory.dmp

Filesize
712KB

Download
memory/5024-66-0x000000001B9E0000-0x000000001BA30000-memory.dmp

Filesize
320KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads