quasar | 0db4c87022c5db7751f85b7c3a63df7a30bf95863e1fff2d6bd5064bd0ace2a1 | Triage

Submit
Reports

Overview

overview

Static

static

8

Comprobant...go.doc

windows7_x64

Comprobant...go.doc

windows10_x64

Sharing

General

Target

Comprobante de pago.doc
Size

58KB
Sample

211023-f51cvacbb4
MD5

f6728352bf1b5f1c78b27a34b48d8325
SHA1

3dbabe2f63c3cb5f1b93d969d11e3adf665e19fb
SHA256

0db4c87022c5db7751f85b7c3a63df7a30bf95863e1fff2d6bd5064bd0ace2a1
SHA512

c365babb89087a0187aa6ccdb3f7eadd7a048a08f046da44230d9d25968129cac18cbf96a81a2db66210310c02abec3c130e21f3d60e54112c7c3b5eb7976ddc

Score

10^/10

quasar criok macro macro_on_action spyware trojan xlm

Static task

static1

macro xlm macro_on_action

Behavioral task

behavioral1

Sample

Comprobante de pago.doc

Resource

win7-en-20211014

quasar criok spyware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Comprobante de pago.doc

Resource

win10-en-20211014

quasar spyware trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Criok

C2

ildriendfrirotoi.zapto.org:61790

fruitingsuccess.ignorelist.com:61789

Mutex

QSR_MUTEX_JS7TIscSksvJKrLXxw

Attributes

encryption_key
7RWfQmQNDJPIz1c1QtI1
install_name
Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Windows

Targets

- Target
  
  Comprobante de pago.doc
- Size
  
  58KB
- MD5
  
  f6728352bf1b5f1c78b27a34b48d8325
- SHA1
  
  3dbabe2f63c3cb5f1b93d969d11e3adf665e19fb
- SHA256
  
  0db4c87022c5db7751f85b7c3a63df7a30bf95863e1fff2d6bd5064bd0ace2a1
- SHA512
  
  c365babb89087a0187aa6ccdb3f7eadd7a048a08f046da44230d9d25968129cac18cbf96a81a2db66210310c02abec3c130e21f3d60e54112c7c3b5eb7976ddc
Score

10^/10

quasar criok spyware trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macroxlmmacro_on_action

behavioral1

quasarcriokspywaretrojan

behavioral2

quasarspywaretrojan

© 2018-2024

Terms | Privacy