quasar | 7c53e91f6e48aa2c0dec8a5ddd6e29c551aeb27b8a4da027036b0436b2e1a581

General

Target

2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Size

5.1MB
MD5

59ddcad28d941a4cd3af90a10a3833a7
SHA1

a831be3525978ff33076479ad43935fc23432927
SHA256

7c53e91f6e48aa2c0dec8a5ddd6e29c551aeb27b8a4da027036b0436b2e1a581
SHA512

0b630da6233302d6912cb36b34eba465329f6087afdd9be7ce2e232ad6910f86c90db29983c7e391232106012bb583e115e7c988ae3f326a5d85eb0187fcde63
SSDEEP

98304:4EavUEH9tOXMHer9STJsv6tWKFdu9CLDsEJncODv6k3QaW:zGtDXTJsv6tWKFdu9CLBJnP6k3Q

Score

10^/10

quasar discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Mutex

�YO,��-�zۜg��q

Attributes

encryption_key
B79C633924DB50C64E5A0FDA379FDD053E7E4574
log_directory
��ʻ�]�3�탃
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/6088-5-0x0000000007BF0000-0x0000000007D7E000-memory.dmp	family_quasar

Executes dropped EXE 8 IoCs

pid	Process
2064	S5fyTGPe.exe
4848	RuntimeBroker.exe
4968	S5fyTGPe.exe
568	RuntimeBroker.exe
2372	S5fyTGPe.exe
648	RuntimeBroker.exe
1092	S5fyTGPe.exe
5168	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	S5fyTGPe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	S5fyTGPe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe = "C:\\Users\\Admin\\AppData\\Roaming\\O4zLEUnKB1\\S5fyTGPe.exe"	S5fyTGPe.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S5fyTGPe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S5fyTGPe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S5fyTGPe.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2064	S5fyTGPe.exe
4968	S5fyTGPe.exe
2372	S5fyTGPe.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	6088	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
Token: SeDebugPrivilege	2064	S5fyTGPe.exe
Token: SeDebugPrivilege	4968	S5fyTGPe.exe
Token: SeDebugPrivilege	2372	S5fyTGPe.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2064	1244	cmd.exe	81
PID 1244 wrote to memory of 2064	1244	cmd.exe	81
PID 1244 wrote to memory of 2064	1244	cmd.exe	81
PID 6088 wrote to memory of 4848	6088	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe	82
PID 6088 wrote to memory of 4848	6088	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe	82
PID 6088 wrote to memory of 4848	6088	2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe	82
PID 3440 wrote to memory of 4968	3440	cmd.exe	85
PID 3440 wrote to memory of 4968	3440	cmd.exe	85
PID 3440 wrote to memory of 4968	3440	cmd.exe	85
PID 2064 wrote to memory of 568	2064	S5fyTGPe.exe	86
PID 2064 wrote to memory of 568	2064	S5fyTGPe.exe	86
PID 2064 wrote to memory of 568	2064	S5fyTGPe.exe	86
PID 4496 wrote to memory of 2372	4496	cmd.exe	89
PID 4496 wrote to memory of 2372	4496	cmd.exe	89
PID 4496 wrote to memory of 2372	4496	cmd.exe	89
PID 4968 wrote to memory of 648	4968	S5fyTGPe.exe	90
PID 4968 wrote to memory of 648	4968	S5fyTGPe.exe	90
PID 4968 wrote to memory of 648	4968	S5fyTGPe.exe	90
PID 5524 wrote to memory of 1092	5524	cmd.exe	93
PID 5524 wrote to memory of 1092	5524	cmd.exe	93
PID 5524 wrote to memory of 1092	5524	cmd.exe	93
PID 2372 wrote to memory of 5168	2372	S5fyTGPe.exe	94
PID 2372 wrote to memory of 5168	2372	S5fyTGPe.exe	94
PID 2372 wrote to memory of 5168	2372	S5fyTGPe.exe	94

C:\Users\Admin\AppData\Local\Temp\2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-20_59ddcad28d941a4cd3af90a10a3833a7_elex_mafia.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6088
- C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5524
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- - C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe"
    3⤵
    PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
1⤵
PID:396
- C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe
  2⤵
  PID:5432

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S5fyTGPe.exe.log

Filesize
1KB

MD5
af5e7a69d40fa61fc5cbe8e47b94e6f2

SHA1
7a17838ce80aca637271aeed443fbd5c7b6ffd59

SHA256
0acb16fce2cbcab32c09856689e22bffeca7941433389f92a01dc612b4ae4a5f

SHA512
848c2ee685a3298dfa266d5bc070ff77a8513a2a14b71e834614850bc6144d5c15f17da9f80148b4f9d9a206a168c74aaa5574589da1fb7629e7fc3513db84d8

Download Submit
C:\Users\Admin\AppData\Roaming\O4zLEUnKB1\S5fyTGPe.exe

Filesize
5.1MB

MD5
59ddcad28d941a4cd3af90a10a3833a7

SHA1
a831be3525978ff33076479ad43935fc23432927

SHA256
7c53e91f6e48aa2c0dec8a5ddd6e29c551aeb27b8a4da027036b0436b2e1a581

SHA512
0b630da6233302d6912cb36b34eba465329f6087afdd9be7ce2e232ad6910f86c90db29983c7e391232106012bb583e115e7c988ae3f326a5d85eb0187fcde63

Download Submit
C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe

Filesize
4.9MB

MD5
baa44b785b8e8dd92f21e39a42e261d2

SHA1
91bfb1b82002adac0d6f494185026d6729d01654

SHA256
f5d51b3456ff44e9659d838ddcafe9b7642ad2ffbdbd6ca16bb66f6bc08be743

SHA512
0cbe393f8d94b4f06876bd10485824575fa54c7f8298a26960a9bfb726edbf4e5a0a3e05600075111562fb4205a6624d2922bd9241c6e396b6e48d2d1c18fa7e

Download Submit
C:\Users\Admin\AppData\Roaming\peer\RuntimeBroker.exe

Filesize
3.3MB

MD5
25326185678771fdf96edfb7b493d70f

SHA1
a9945c9578985f9d57c3d02390fcc347dc5af7e2

SHA256
ff3429d0905aed516ee2f774e321b10dc55bc19ff587cd517487d3c968de3d20

SHA512
5aba156c17161e12ba6fb201efcae5d708e9f37baa2a951f906f031f654db2a4c81fafcca1e5396aca6d495a8ffc2123943fbac7cb3bfad7c27e2a5082082836

Download Submit
memory/2064-16-0x00000000049B0000-0x0000000004B3A000-memory.dmp

Filesize
1.5MB

Download
memory/4848-17-0x00000000048E0000-0x0000000004A6A000-memory.dmp

Filesize
1.5MB

Download
memory/6088-6-0x0000000008330000-0x00000000088D6000-memory.dmp

Filesize
5.6MB

Download
memory/6088-15-0x0000000004DF0000-0x0000000004F7A000-memory.dmp

Filesize
1.5MB

Download
memory/6088-9-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

Filesize
40KB

Download
memory/6088-8-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/6088-7-0x0000000007970000-0x0000000007A02000-memory.dmp

Filesize
584KB

Download
memory/6088-0-0x0000000004DF0000-0x0000000004F7A000-memory.dmp

Filesize
1.5MB

Download
memory/6088-5-0x0000000007BF0000-0x0000000007D7E000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads