quasar | 04a908a9e407549cb834e945f0afb49da90f7581bda7e2d2cd3871a55997d53b | Triage

Submit
Reports

Overview

overview

Static

static

SecuriteIn...54.exe

windows7_x64

SecuriteIn...54.exe

windows10_x64

Sharing

General

Target

SecuriteInfo.com.MSIL.Kryptik.VQE.8354
Size

588KB
Sample

201109-qdcjr3nnys
MD5

d812fe377e3818a3e95d9e594816eefd
SHA1

4ccf31c0954dce97c385eeda0c4ff726a5cd696c
SHA256

04a908a9e407549cb834e945f0afb49da90f7581bda7e2d2cd3871a55997d53b
SHA512

74def34678da15dd28dddc68095f1a0a92e4a82ecc305f4671ca01ddbafa1e6655d22d4bb989f2097eed159259580a598f2bc36c0b7394de1115298699b7ffd9

Score

10^/10

quasar persistence rezer0 spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.MSIL.Kryptik.VQE.8354.exe

Resource

win7v20201028

quasar persistence rezer0 spyware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.MSIL.Kryptik.VQE.8354.exe

Resource

win10v20201028

quasar persistence rezer0 spyware trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  SecuriteInfo.com.MSIL.Kryptik.VQE.8354
- Size
  
  588KB
- MD5
  
  d812fe377e3818a3e95d9e594816eefd
- SHA1
  
  4ccf31c0954dce97c385eeda0c4ff726a5cd696c
- SHA256
  
  04a908a9e407549cb834e945f0afb49da90f7581bda7e2d2cd3871a55997d53b
- SHA512
  
  74def34678da15dd28dddc68095f1a0a92e4a82ecc305f4671ca01ddbafa1e6655d22d4bb989f2097eed159259580a598f2bc36c0b7394de1115298699b7ffd9
Score

10^/10

quasar persistence rezer0 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- ServiceHost packer
  Detects ServiceHost packer used for .NET malware
- rezer0
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarpersistencerezer0spywaretrojan

behavioral2

quasarpersistencerezer0spywaretrojan

© 2018-2024

Terms | Privacy