Quasar RAT Activity January, 2021

Over the last couple days of this new year, I've seen a couple Quasar RATs come across my path. So I decided to highlight some of the analysis here.

The first sample I'm looking at is invoice.iso (8fc2bdfaf329c652090d6bcd2f88b764). As you can see from the app.any.run link this ends up dropping and executing a simple VBS file.

Clearly, we see that this attempts to use "MSHTA" to navigate to the minpic[.]de link pictured above. This results in the following powershell script, cleverly disguised as a JPEG file.

When we run a simple base64 decoding against this we get another URL in the minpic[.]de domain called by powershell.  hxxps://www.minpic[.]de/t/be5r/18jv5z.

When we look at this page, we see yet another powershell script which again references another link in the minpic[.]de domain!

When we look at this URL we find a page that contains a whole bunch of Hex code!

The previous powershell script, which references this page of Hex code, also executes a function to build the code into something else.... wait for it..... Another powershell script!!!

What strikes me as interesting here, is that the variable name starting with $a...... is loaded and executed very similar to how the Jupyter Malware I wrote about last month looks. So, extracting the executable from this should be a similar process. To test this, I used the following modifications and ran with it!

Yep! Very similar, I can use Cyberchef to "From Charcode Base 10" with a delimiter of "Line Feed" to extract the Quasar executable which the powershell loads into MSbuild.exe in this sample. In other samples I have seen RegSvcs.exe being used.

Here is the VirusTotal Link to the extracted Quasar executable!


ISO Dropper Hash: 8fc2bdfaf329c652090d6bcd2f88b764

VBS Downloader Hash: 119F4649E03ACB94BAE703CB1AED2D63

Downloader link: hxxps://www.minpic[.]de/t/be5s/f8wbe

Stage 2 Downloader: hxxps://www.minpic[.]de/t/be5r/18jv5z

Hex code for Stage 2 hxxps://www.minpic[.]de/k/be5q/2xolu/

Powershell MD5 loader for Quasar: 7f1a2ff37d10eb877e51efca0daf8910

Quasar Executable Hash: 9b9880756019b1eeea28019cc18b9ee5

C2: 164.68.122[.]235:5559

C2: top[.]killwhenabusing1[.]xyz