quasar | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

General

Target

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

quasar xworm rat1 discovery rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

C2

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Extracted

Family

xworm

C2

147.185.221.27:31149

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002429a-23.dat	family_xworm
behavioral1/memory/2228-30-0x0000000000560000-0x0000000000576000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022b5d-9.dat	family_quasar
behavioral1/memory/4884-18-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 3 IoCs

flow	pid	Process
42	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
42	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
46	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe

Executes dropped EXE 5 IoCs

pid	Process
4884	Client-built.exe
2228	Cloudy.exe
3684	System32.exe
5252	12321321.exe
2768	856.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
42	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2360	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Token: SeDebugPrivilege	4884	Client-built.exe
Token: SeDebugPrivilege	2228	Cloudy.exe
Token: SeDebugPrivilege	3684	System32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5820 wrote to memory of 4884	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	100
PID 5820 wrote to memory of 4884	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	100
PID 5820 wrote to memory of 2228	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	101
PID 5820 wrote to memory of 2228	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	101
PID 4884 wrote to memory of 2360	4884	Client-built.exe	102
PID 4884 wrote to memory of 2360	4884	Client-built.exe	102
PID 4884 wrote to memory of 3684	4884	Client-built.exe	104
PID 4884 wrote to memory of 3684	4884	Client-built.exe	104
PID 5820 wrote to memory of 5252	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	105
PID 5820 wrote to memory of 5252	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	105
PID 5820 wrote to memory of 2768	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	109
PID 5820 wrote to memory of 2768	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	109
PID 5820 wrote to memory of 2768	5820	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
"C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5820
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2360
- - C:\Users\Admin\AppData\Roaming\System32\System32.exe
    "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3684
- C:\Users\Admin\AppData\Local\Temp\Files\Cloudy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Cloudy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\Files\12321321.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\12321321.exe"
  2⤵
  - Executes dropped EXE
  PID:5252
- C:\Users\Admin\AppData\Local\Temp\Files\856.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\856.exe"
  2⤵
  - Executes dropped EXE
  PID:2768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\12321321.exe

Filesize
348KB

MD5
ce869420036665a228c86599361f0423

SHA1
8732dfe486f5a7daa4aedda48a3eb134bc2f35c0

SHA256
eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd

SHA512
66f47f62ce2c0b49c6effcd152e49360b5fa4667f0db74bff7ff723f6e4bfc4df305ae249fad06feeaad57df14ee9919b7dcc04f7a55bb4b07e96406ed14319e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\856.exe

Filesize
93KB

MD5
68edafe0a1705d5c7dd1cb14fa1ca8ce

SHA1
7e9d854c90acd7452645506874c4e6f10bfdda31

SHA256
68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d

SHA512
89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
82222cff36f2c338159b23a7f18a4815

SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2

SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Cloudy.exe

Filesize
63KB

MD5
df8b7081b4e73ec77c418c69f9b6e67b

SHA1
7c14a78da7f6adc79a94b95fac5a778116820e17

SHA256
fc9fb9d6e3dfa400a51df18b7dfe73f5102b636b1db879083cbf1f9b5ab410c7

SHA512
f37bc3fa5e738ec9f28b13745727cb43482d9162f0002bcc7c125916af711647296279393fc919c59c907966ca663452c2ba60a68ae61d56d242a0fbc4461a71

Download Submit
memory/2228-30-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/4884-17-0x00007FFBB3773000-0x00007FFBB3775000-memory.dmp

Filesize
8KB

Download
memory/4884-18-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/5252-47-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/5252-57-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/5820-4-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/5820-5-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5820-3-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5820-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/5820-2-0x0000000004CB0000-0x0000000004D4C000-memory.dmp

Filesize
624KB

Download
memory/5820-1-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads