quasar | 370e43173ca787e6fdb25e366832b962e7361842a8c935275ea10e996a1e65dc

General

Target

Dynastyn.exe
Size

3.1MB
MD5

7278f8e052dfce0ab3b0e26342df90c7
SHA1

b8e1a85020c3bc897bee6d2dfa2b0b7a0066a877
SHA256

370e43173ca787e6fdb25e366832b962e7361842a8c935275ea10e996a1e65dc
SHA512

d8dfc255717d1756ae67720e17d21098c20ea62ddf2fd4ecc2eb45ce228c12bce655b7754879a834850b9ff831fa58b66daed54d69f869983473b20fbacd11f4
SSDEEP

49152:evBt62XlaSFNWPjljiFa2RoUYI/US21J/+oGdo7THHB72eh2NT:evr62XlaSFNWPjljiFXRoUYI/USf4

Score

10^/10

quasar dynasty spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Dynasty

C2

192.168.1.15:6811

Mutex

1874328e-c44e-4a21-9487-360438f0be06

Attributes

encryption_key
A293A810C06D86E5BF7959B54E0B6A129843E485
install_name
System.exe
log_directory
Dynasty
reconnect_delay
3000
startup_key
System.exe
subdirectory
system64x

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5496-1-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral2/files/0x001a00000002b1cd-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2132	System.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\system64x\System.exe	System.exe
File opened for modification	C:\Windows\system32\system64x	System.exe
File created	C:\Windows\system32\system64x\System.exe	Dynastyn.exe
File opened for modification	C:\Windows\system32\system64x\System.exe	Dynastyn.exe
File opened for modification	C:\Windows\system32\system64x	Dynastyn.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1132	schtasks.exe
5612	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5496	Dynastyn.exe
Token: SeDebugPrivilege	2132	System.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2132	System.exe
2372	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5496 wrote to memory of 5612	5496	Dynastyn.exe	78
PID 5496 wrote to memory of 5612	5496	Dynastyn.exe	78
PID 5496 wrote to memory of 2132	5496	Dynastyn.exe	80
PID 5496 wrote to memory of 2132	5496	Dynastyn.exe	80
PID 2132 wrote to memory of 1132	2132	System.exe	81
PID 2132 wrote to memory of 1132	2132	System.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Dynastyn.exe
"C:\Users\Admin\AppData\Local\Temp\Dynastyn.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5496
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "System.exe" /sc ONLOGON /tr "C:\Windows\system32\system64x\System.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5612
- C:\Windows\system32\system64x\System.exe
  "C:\Windows\system32\system64x\System.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System.exe" /sc ONLOGON /tr "C:\Windows\system32\system64x\System.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1132

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3952

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d30e852b-ff26-405d-9998-bd5f28b80270.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\~earchHoverUnifiedTileModelCache.tmp

Filesize
24KB

MD5
8c32b2c79e3be9272c13f50d28d2cea3

SHA1
a71044e003ae532b23d6fdac3ae73c384882eb91

SHA256
a3ae191a7f895c0cfcfc56dd439091378f6619e1a7bfa03e810b3f20f96d540e

SHA512
14489f5e5f62f0fa1f03feafc98e9e2e21ecff05b6811a906bdbfd3b8e70598f4aac61f9699069ba10659f4ba479cba1ef3712ee5ddea6486ccdd284ab03bd1a

Download Submit
C:\Windows\System32\system64x\System.exe

Filesize
3.1MB

MD5
7278f8e052dfce0ab3b0e26342df90c7

SHA1
b8e1a85020c3bc897bee6d2dfa2b0b7a0066a877

SHA256
370e43173ca787e6fdb25e366832b962e7361842a8c935275ea10e996a1e65dc

SHA512
d8dfc255717d1756ae67720e17d21098c20ea62ddf2fd4ecc2eb45ce228c12bce655b7754879a834850b9ff831fa58b66daed54d69f869983473b20fbacd11f4

Download Submit
memory/2132-9-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/2132-11-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/2132-12-0x000000001C3F0000-0x000000001C440000-memory.dmp

Filesize
320KB

Download
memory/2132-13-0x000000001C500000-0x000000001C5B2000-memory.dmp

Filesize
712KB

Download
memory/2132-14-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/5496-0-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp

Filesize
8KB

Download
memory/5496-1-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download
memory/5496-2-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/5496-10-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads