Overview

overview

10

Static

static

05F1FFA1EC...48.exe

windows7_x64

10

05F1FFA1EC...48.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe

  • Size

    109KB

  • Sample

    220305-t1c9eagff6

  • MD5

    1755e55d32771a3d51e049ef4ee9f7ef

  • SHA1

    bbfcea2e25a843d2d2c4023ed026809c0a173e88

  • SHA256

    05f1ffa1ec36931cc7eea37bec05882e59b185e237b4832fc0abe393dd5e0519

  • SHA512

    be18e1db9cfa88a41d3cf8945399d16aa145b905687a78324f0fb4cbea94a4d7dc6354975ab938fb2e9ab30469ac47f9ce3858485a132bd5354cafd0920cc328

Score
10/10
quasarcheatsspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/936336201043042364/MarsisESP.sln

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/935052475730391070/Cheats.exe

Extracted

Family

quasar

Version

1.4.0

Botnet

Cheats

C2

anubisgod.duckdns.org:1338

Mutex

6f2a7175-754c-4ce5-a610-2f8866732c05

Attributes
  • encryption_key

    0411D8B9B23547F86733347B0634010F112E158F

  • install_name

    dlscord.exe

  • log_directory

    dlscordLogs

  • reconnect_delay

    3000

  • startup_key

    dlscord

  • subdirectory

    dlscord

Targets

    • Target

      05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe

    • Size

      109KB

    • MD5

      1755e55d32771a3d51e049ef4ee9f7ef

    • SHA1

      bbfcea2e25a843d2d2c4023ed026809c0a173e88

    • SHA256

      05f1ffa1ec36931cc7eea37bec05882e59b185e237b4832fc0abe393dd5e0519

    • SHA512

      be18e1db9cfa88a41d3cf8945399d16aa145b905687a78324f0fb4cbea94a4d7dc6354975ab938fb2e9ab30469ac47f9ce3858485a132bd5354cafd0920cc328

    Score
    10/10
    quasarcheatsspywaretrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks