quasar | a7e7de656010612d8f5741491c7f5e4480d8face10c5f1c445fdfda6d70b4908 | Triage

Submit
Reports

Overview

overview

Static

static

Qoutation ...92.exe

windows7_x64

Qoutation ...92.exe

windows10_x64

Sharing

General

Target

Qoutation order34323892.exe
Size

580KB
Sample

201109-vfydpanfbx
MD5

081fb4b7f8a59eaba1704f9009da7443
SHA1

d37d48c1da18c1f5d055e747bc6e36d2c6e1cfad
SHA256

a7e7de656010612d8f5741491c7f5e4480d8face10c5f1c445fdfda6d70b4908
SHA512

28c8a1ffac0b8e036d43140534c738eff329dddfa4ae0aebc4433b7228b49c808ba8a66ffec460f1a1d02bd70ac15256113e8a7f837d01576e55504191739309

Score

10^/10

quasar coreentity persistence rezer0 spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Qoutation order34323892.exe

Resource

win7v20201028

quasar coreentity persistence rezer0 spyware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Qoutation order34323892.exe

Resource

win10v20201028

quasar coreentity persistence rezer0 spyware trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  Qoutation order34323892.exe
- Size
  
  580KB
- MD5
  
  081fb4b7f8a59eaba1704f9009da7443
- SHA1
  
  d37d48c1da18c1f5d055e747bc6e36d2c6e1cfad
- SHA256
  
  a7e7de656010612d8f5741491c7f5e4480d8face10c5f1c445fdfda6d70b4908
- SHA512
  
  28c8a1ffac0b8e036d43140534c738eff329dddfa4ae0aebc4433b7228b49c808ba8a66ffec460f1a1d02bd70ac15256113e8a7f837d01576e55504191739309
Score

10^/10

quasar coreentity persistence rezer0 spyware trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- ServiceHost packer
  Detects ServiceHost packer used for .NET malware
- rezer0
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarcoreentitypersistencerezer0spywaretrojan

behavioral2

quasarcoreentitypersistencerezer0spywaretrojan

© 2018-2024

Terms | Privacy