quasar | ebad07fe74262b4dd7fcec476fa92560983112a94d5c4346b4d934a0f4f9f6f0

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RatForKiooAdmin.exe
Size

3.4MB
MD5

eeaed02a0476fbf0bf9b87ba217a74ff
SHA1

ddc562254c09485c893befe0cd061a992e9ccf48
SHA256

ebad07fe74262b4dd7fcec476fa92560983112a94d5c4346b4d934a0f4f9f6f0
SHA512

ed426d7e8986c8ad5d6ae0d758dbac36ea663abbc6b1d5e420d4064e9ee43d46f1ae2248d58703842cfcca361ea7d911addecca70a18d5b451971f79df15a2e4
SSDEEP

98304:DvI22SsaNYfdPBldt6+dBcjHT6RJ6kdx:rd7jcB

Score

10^/10

quasar kio spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

KIO

0.tcp.ngrok.io:16302

Mutex

116e2822-047d-4b5c-ad10-563148a1a28e

Attributes

encryption_key
C366BC97216329D1909524412E3ECB1EBC575D07
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/4592-1-0x00000000001D0000-0x0000000000536000-memory.dmp family_quasar
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

1 0.tcp.ngrok.io
5 0.tcp.ngrok.io
10 0.tcp.ngrok.io
11 0.tcp.ngrok.io
12 0.tcp.ngrok.io
13 0.tcp.ngrok.io
14 0.tcp.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4004 PING.EXE
3836 PING.EXE
3748 PING.EXE
1872 PING.EXE
3760 PING.EXE
4712 PING.EXE
4040 PING.EXE

resource	yara_rule
behavioral1/memory/4592-1-0x00000000001D0000-0x0000000000536000-memory.dmp	family_quasar

flow	ioc
1	0.tcp.ngrok.io
5	0.tcp.ngrok.io
10	0.tcp.ngrok.io
11	0.tcp.ngrok.io
12	0.tcp.ngrok.io
13	0.tcp.ngrok.io
14	0.tcp.ngrok.io

pid	process
4004	PING.EXE
3836	PING.EXE
3748	PING.EXE
1872	PING.EXE
3760	PING.EXE
4712	PING.EXE
4040	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exe

description	pid	process
Token: SeDebugPrivilege	4592	RatForKiooAdmin.exe
Token: SeDebugPrivilege	4992	RatForKiooAdmin.exe
Token: SeDebugPrivilege	4016	RatForKiooAdmin.exe
Token: SeDebugPrivilege	4640	RatForKiooAdmin.exe
Token: SeDebugPrivilege	1388	RatForKiooAdmin.exe
Token: SeDebugPrivilege	4228	RatForKiooAdmin.exe
Token: SeDebugPrivilege	2256	RatForKiooAdmin.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

RatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exeRatForKiooAdmin.exe

pid process

4592 RatForKiooAdmin.exe
4992 RatForKiooAdmin.exe
4016 RatForKiooAdmin.exe
4640 RatForKiooAdmin.exe
1388 RatForKiooAdmin.exe
4228 RatForKiooAdmin.exe
2256 RatForKiooAdmin.exe

pid	process
4592	RatForKiooAdmin.exe
4992	RatForKiooAdmin.exe
4016	RatForKiooAdmin.exe
4640	RatForKiooAdmin.exe
1388	RatForKiooAdmin.exe
4228	RatForKiooAdmin.exe
2256	RatForKiooAdmin.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

RatForKiooAdmin.execmd.exeRatForKiooAdmin.execmd.exeRatForKiooAdmin.execmd.exeRatForKiooAdmin.execmd.exeRatForKiooAdmin.execmd.exeRatForKiooAdmin.execmd.exeRatForKiooAdmin.execmd.exe

description	pid	process	target process
PID 4592 wrote to memory of 3404	4592	RatForKiooAdmin.exe	cmd.exe
PID 4592 wrote to memory of 3404	4592	RatForKiooAdmin.exe	cmd.exe
PID 3404 wrote to memory of 3560	3404	cmd.exe	chcp.com
PID 3404 wrote to memory of 3560	3404	cmd.exe	chcp.com
PID 3404 wrote to memory of 1872	3404	cmd.exe	PING.EXE
PID 3404 wrote to memory of 1872	3404	cmd.exe	PING.EXE
PID 3404 wrote to memory of 4992	3404	cmd.exe	RatForKiooAdmin.exe
PID 3404 wrote to memory of 4992	3404	cmd.exe	RatForKiooAdmin.exe
PID 4992 wrote to memory of 496	4992	RatForKiooAdmin.exe	cmd.exe
PID 4992 wrote to memory of 496	4992	RatForKiooAdmin.exe	cmd.exe
PID 496 wrote to memory of 4984	496	cmd.exe	chcp.com
PID 496 wrote to memory of 4984	496	cmd.exe	chcp.com
PID 496 wrote to memory of 3760	496	cmd.exe	PING.EXE
PID 496 wrote to memory of 3760	496	cmd.exe	PING.EXE
PID 496 wrote to memory of 4016	496	cmd.exe	RatForKiooAdmin.exe
PID 496 wrote to memory of 4016	496	cmd.exe	RatForKiooAdmin.exe
PID 4016 wrote to memory of 3168	4016	RatForKiooAdmin.exe	cmd.exe
PID 4016 wrote to memory of 3168	4016	RatForKiooAdmin.exe	cmd.exe
PID 3168 wrote to memory of 4160	3168	cmd.exe	chcp.com
PID 3168 wrote to memory of 4160	3168	cmd.exe	chcp.com
PID 3168 wrote to memory of 4712	3168	cmd.exe	PING.EXE
PID 3168 wrote to memory of 4712	3168	cmd.exe	PING.EXE
PID 3168 wrote to memory of 4640	3168	cmd.exe	RatForKiooAdmin.exe
PID 3168 wrote to memory of 4640	3168	cmd.exe	RatForKiooAdmin.exe
PID 4640 wrote to memory of 1228	4640	RatForKiooAdmin.exe	cmd.exe
PID 4640 wrote to memory of 1228	4640	RatForKiooAdmin.exe	cmd.exe
PID 1228 wrote to memory of 3624	1228	cmd.exe	chcp.com
PID 1228 wrote to memory of 3624	1228	cmd.exe	chcp.com
PID 1228 wrote to memory of 4040	1228	cmd.exe	PING.EXE
PID 1228 wrote to memory of 4040	1228	cmd.exe	PING.EXE
PID 1228 wrote to memory of 1388	1228	cmd.exe	RatForKiooAdmin.exe
PID 1228 wrote to memory of 1388	1228	cmd.exe	RatForKiooAdmin.exe
PID 1388 wrote to memory of 1904	1388	RatForKiooAdmin.exe	cmd.exe
PID 1388 wrote to memory of 1904	1388	RatForKiooAdmin.exe	cmd.exe
PID 1904 wrote to memory of 4524	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 4524	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 4004	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 4004	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 4228	1904	cmd.exe	RatForKiooAdmin.exe
PID 1904 wrote to memory of 4228	1904	cmd.exe	RatForKiooAdmin.exe
PID 4228 wrote to memory of 1488	4228	RatForKiooAdmin.exe	cmd.exe
PID 4228 wrote to memory of 1488	4228	RatForKiooAdmin.exe	cmd.exe
PID 1488 wrote to memory of 2660	1488	cmd.exe	chcp.com
PID 1488 wrote to memory of 2660	1488	cmd.exe	chcp.com
PID 1488 wrote to memory of 3836	1488	cmd.exe	PING.EXE
PID 1488 wrote to memory of 3836	1488	cmd.exe	PING.EXE
PID 1488 wrote to memory of 2256	1488	cmd.exe	RatForKiooAdmin.exe
PID 1488 wrote to memory of 2256	1488	cmd.exe	RatForKiooAdmin.exe
PID 2256 wrote to memory of 2904	2256	RatForKiooAdmin.exe	cmd.exe
PID 2256 wrote to memory of 2904	2256	RatForKiooAdmin.exe	cmd.exe
PID 2904 wrote to memory of 2488	2904	cmd.exe	chcp.com
PID 2904 wrote to memory of 2488	2904	cmd.exe	chcp.com
PID 2904 wrote to memory of 3748	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 3748	2904	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gHRkqgkXERQt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3560

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:1872

C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zlQqv5ybvxFy.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:4984

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:3760

C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2XIujBCkW4Cl.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:4160

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4712

C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uvWURhmiXdLD.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:3624

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4040

C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V8xtusGTjveW.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:4524

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:4004

C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ag6YZMVqQQj9.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:2660

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:3836

C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RatForKiooAdmin.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t2HQb2oaNpWg.bat" "
14⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:2488

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RatForKiooAdmin.exe.log
Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2XIujBCkW4Cl.bat
Filesize
212B

MD5
18aad5854a44972f423bc8bc444d84ac

SHA1
8ce7d4507cef0b1fb625be014d9da605f6d66938

SHA256
b3a60fe02f8fbf460dff670248e11bc7aa62d9d4ae2c5076b3ad1aa1a0f5b056

SHA512
dac47cbe092ff37cc53b56233412808794fda40d5c865fde27b28eb1219bc74dc2d1b675a40aa16b90996b2c341b92d5bfd0b5f4869c6efe9675c240a90297cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\V8xtusGTjveW.bat
Filesize
212B

MD5
b5826ddcbae2ebee426d484ad042a37b

SHA1
2fa3bab8588ec3f33ec11b7e260c01d76f37f0d9

SHA256
8e9435c98d247a00aa11e04069d2859caedfd03089115d2e133fb25328d002e1

SHA512
898b8e3c96c4ad67a835ffdd85ce3469c38e7720f7428fe70263695d17b6e2b7069bc42b817063bb03efd36321b1e9ffbf2306284836a47e6286589f4f6fce89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ag6YZMVqQQj9.bat
Filesize
212B

MD5
3741481e943e83b9cd5cca3200f2b1c2

SHA1
43369a189e6abf450e13ba2b59324a11a704e3bf

SHA256
7735747d2b42919fd4d3d37bfe25855640ec3a691f8ef51fbc1476512a95d8bc

SHA512
9c0f9158394489f95a7b77931fc0bf0e5819aec5a535086e003072c35fa342a72ea9d979e49e2247fa134ac2daf32da09ec15ec049cc2d2797203a16a7443037

Download Submit
C:\Users\Admin\AppData\Local\Temp\gHRkqgkXERQt.bat
Filesize
212B

MD5
8cf193e64e19e7a65836760245b724ae

SHA1
e73bf48106d0184107af4f62919e1d14331f393e

SHA256
e22f104f93036e062655cc378fdb6a70edfb77add51cd10a00f15947cf297465

SHA512
1cf3a7f030254343f97368ad235a0f317ad7be8a8a17dc420866c21f6eae1d967e1ff7815e66641034ce9124ecaf9618a1104d40fc4f22eac9df3e883195e216

Download Submit
C:\Users\Admin\AppData\Local\Temp\t2HQb2oaNpWg.bat
Filesize
212B

MD5
8d5bcc5aa07376d4c6053dc6e1f8fd43

SHA1
89dbaff288a4f8ee2c3363c9b571f9066fb6ed8e

SHA256
cb722608073277b0f1417e37cd7e0f89162ae7939ba6ea9607bbf434a718dd8a

SHA512
161aef1f35a5cd2ac09cdaedeeff38bb58352fb09e0b720032e65896269f2aab17bb066f199ac3214b4ce26d70d775d28710879f33b7c4b91e48151cad7dfe58

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvWURhmiXdLD.bat
Filesize
212B

MD5
63044c8a3161441c333dc6aaab75cf21

SHA1
6c175c1f8a4f649de18e588f765fc2a0e00939cf

SHA256
be0221e9a666e5a87d3c004dbafc462bcfab7f5742a6aff48ef2c6a76a35150d

SHA512
1f1266e59b0dd7da01816035408078bb285810295c44b1fdbb140b8458bd8c3dca55af1524da4a4a995f1bfffd5764251fb8aef7b7164ea7e5d56fdae648b9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlQqv5ybvxFy.bat
Filesize
212B

MD5
d607a2715302a84c42f4788af415a606

SHA1
232b448d8666eb47ce2b1f756f1bce41238542f7

SHA256
2e5fda574c0938f75fd1d554c1f03432a0a3811d28538ca5d4b8867261d5b0f4

SHA512
c06ccfbfeb857dc3c10fe963256f63da2ac4ac491f61335fedd6e5f4471d8667a0978e5285171d1eb26e64471d541cefed5b6f262e88154bedfe830eaa3b2761

Download Submit
memory/4592-4-0x000000001B7B0000-0x000000001B862000-memory.dmp

Filesize
712KB

Download
memory/4592-10-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmp

Filesize
10.8MB

Download
memory/4592-0-0x00007FF8E5AD3000-0x00007FF8E5AD5000-memory.dmp

Filesize
8KB

Download
memory/4592-3-0x000000001B220000-0x000000001B270000-memory.dmp

Filesize
320KB

Download
memory/4592-2-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmp

Filesize
10.8MB

Download
memory/4592-1-0x00000000001D0000-0x0000000000536000-memory.dmp

Filesize
3.4MB

Download
memory/4992-16-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmp

Filesize
10.8MB

Download
memory/4992-12-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmp

Filesize
10.8MB

Download