quasar | a1f309adfabcda9c7f1badc025f7756f7dd8ff9da3529dee09044df6e7d177df | Triage

Submit
Reports

Overview

overview

Static

static

8

Comprobant...go.xls

windows7_x64

Comprobant...go.xls

windows10_x64

Sharing

General

Target

Comprobante de pago.xls
Size

109KB
Sample

211023-f51cvadagl
MD5

271ba3d36cd7425438355af48c600e20
SHA1

4a7f399ac4e8420b73a8274003eac6a1ffc31fb0
SHA256

a1f309adfabcda9c7f1badc025f7756f7dd8ff9da3529dee09044df6e7d177df
SHA512

33e842c5c2eefb7e40d8f651535539cc151460106407501b22eb50cc7af4347db8048238c4d9387c8c3ac5b9158a532ceb07d37c2dd269da6c68de726921faad

Score

10^/10

quasar criok macro macro_on_action spyware trojan

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

Comprobante de pago.xls

Resource

win7-en-20210920

quasar criok spyware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Comprobante de pago.xls

Resource

win10-en-20210920

quasar spyware trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Criok

C2

ildriendfrirotoi.zapto.org:61790

fruitingsuccess.ignorelist.com:61789

Mutex

QSR_MUTEX_JS7TIscSksvJKrLXxw

Attributes

encryption_key
7RWfQmQNDJPIz1c1QtI1
install_name
Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
Windows

Targets

- Target
  
  Comprobante de pago.xls
- Size
  
  109KB
- MD5
  
  271ba3d36cd7425438355af48c600e20
- SHA1
  
  4a7f399ac4e8420b73a8274003eac6a1ffc31fb0
- SHA256
  
  a1f309adfabcda9c7f1badc025f7756f7dd8ff9da3529dee09044df6e7d177df
- SHA512
  
  33e842c5c2eefb7e40d8f651535539cc151460106407501b22eb50cc7af4347db8048238c4d9387c8c3ac5b9158a532ceb07d37c2dd269da6c68de726921faad
Score

10^/10

quasar criok spyware trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

quasarcriokspywaretrojan

behavioral2

quasarspywaretrojan

© 2018-2024

Terms | Privacy