quasar | 0be5a8e4d80353ec3e852df8da35a05138978ea6fb7b8cb10f244f709e170be0

General

Target

pt3FUor71KhFxRI.exe
Size

1.6MB
MD5

07cabbbc11af08a2c4540c0fa2cff498
SHA1

78694904ffd774102ed8a7956971009aeb014356
SHA256

0be5a8e4d80353ec3e852df8da35a05138978ea6fb7b8cb10f244f709e170be0
SHA512

cc0df894db716b74f7d33e375cb66c0fbafb31f4bcc4cef937aea0038681acfb086f8c9660d9603d6ce5506bb615f01ddfb869cbc3ac5c1f444b042cc6c513d9
SSDEEP

49152:rq4H/Y6gY9W3M4xtJXYDjf9Gjyl4h2iKw:24HwAW3JxDUQ+l4giKw

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1140-3-0x0000000000400000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/1140-11-0x0000000005760000-0x000000000577A000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2188	svchost.exe
2136	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	pt3FUor71KhFxRI.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	pt3FUor71KhFxRI.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	pt3FUor71KhFxRI.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2188 set thread context of 2136	2188	svchost.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pt3FUor71KhFxRI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pt3FUor71KhFxRI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2136	svchost.exe
2136	svchost.exe
2136	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	pt3FUor71KhFxRI.exe
Token: SeDebugPrivilege	1140	pt3FUor71KhFxRI.exe
Token: SeDebugPrivilege	2188	svchost.exe
Token: SeDebugPrivilege	2136	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 2628 wrote to memory of 1140	2628	pt3FUor71KhFxRI.exe	82
PID 1140 wrote to memory of 2212	1140	pt3FUor71KhFxRI.exe	83
PID 1140 wrote to memory of 2212	1140	pt3FUor71KhFxRI.exe	83
PID 1140 wrote to memory of 2212	1140	pt3FUor71KhFxRI.exe	83
PID 1140 wrote to memory of 2188	1140	pt3FUor71KhFxRI.exe	85
PID 1140 wrote to memory of 2188	1140	pt3FUor71KhFxRI.exe	85
PID 1140 wrote to memory of 2188	1140	pt3FUor71KhFxRI.exe	85
PID 2188 wrote to memory of 2136	2188	svchost.exe	86
PID 2188 wrote to memory of 2136	2188	svchost.exe	86
PID 2188 wrote to memory of 2136	2188	svchost.exe	86
PID 2188 wrote to memory of 2136	2188	svchost.exe	86
PID 2188 wrote to memory of 2136	2188	svchost.exe	86
PID 2188 wrote to memory of 2136	2188	svchost.exe	86
PID 2188 wrote to memory of 2136	2188	svchost.exe	86
PID 2188 wrote to memory of 2136	2188	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\pt3FUor71KhFxRI.exe
"C:\Users\Admin\AppData\Local\Temp\pt3FUor71KhFxRI.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\pt3FUor71KhFxRI.exe
  "C:\Users\Admin\AppData\Local\Temp\pt3FUor71KhFxRI.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Repair Tool" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2212
- - C:\Windows\SysWOW64\SubDir\svchost.exe
    "C:\Windows\system32\SubDir\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\SysWOW64\SubDir\svchost.exe
      "C:\Windows\SysWOW64\SubDir\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pt3FUor71KhFxRI.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Windows\SysWOW64\SubDir\svchost.exe

Filesize
1.6MB

MD5
07cabbbc11af08a2c4540c0fa2cff498

SHA1
78694904ffd774102ed8a7956971009aeb014356

SHA256
0be5a8e4d80353ec3e852df8da35a05138978ea6fb7b8cb10f244f709e170be0

SHA512
cc0df894db716b74f7d33e375cb66c0fbafb31f4bcc4cef937aea0038681acfb086f8c9660d9603d6ce5506bb615f01ddfb869cbc3ac5c1f444b042cc6c513d9

Download Submit
memory/1140-3-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1140-10-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/1140-18-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/1140-12-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/1140-7-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/1140-8-0x0000000005F20000-0x00000000064C6000-memory.dmp

Filesize
5.6MB

Download
memory/1140-9-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/1140-11-0x0000000005760000-0x000000000577A000-memory.dmp

Filesize
104KB

Download
memory/2188-19-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/2188-21-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/2188-26-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/2628-2-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/2628-6-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/2628-1-0x0000000000A30000-0x0000000000BC6000-memory.dmp

Filesize
1.6MB

Download
memory/2628-0-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/2628-20-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads