quasar | 550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee | Triage

Submit
Reports

Overview

overview

Static

static

550b51d2a0...ee.exe

windows7_x64

550b51d2a0...ee.exe

windows10-2004_x64

Sharing

General

Target

550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
Size

3.3MB
Sample

220310-v4mgxscefk
MD5

6e582307cd30f4d9d3090ad09029a054
SHA1

f3acdde16804c9034ed025ad78b3000375135ab7
SHA256

550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
SHA512

c284503f042fed5d1f56042f803e0eb169d7a265ecda70112cc467bf47b879dab756230da0f9f202f0f8cd8841d3ecd49f59fcd2a6fea7cc3e8023e8a4dddd2d

Score

10^/10

quasar sys32 persistence spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee.exe

Resource

win7-20220223-en

quasar sys32 persistence spyware stealer trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee.exe

Resource

win10v2004-en-20220113

quasar sys32 persistence spyware stealer trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Sys32

C2

184.105.238.80:4782

Mutex

QSR_MUTEX_IBj5UlCqsXE96x1jgF

Attributes

encryption_key
mZfAUjkKkw53M41DGa6d
install_name
System32.exe
log_directory
Sys32Logs
reconnect_delay
3000
startup_key
System32
subdirectory
SubDir

Targets

- Target
  
  550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
- Size
  
  3.3MB
- MD5
  
  6e582307cd30f4d9d3090ad09029a054
- SHA1
  
  f3acdde16804c9034ed025ad78b3000375135ab7
- SHA256
  
  550b51d2a09fb0f3de57d1a11327235fa3349f8ae3605b065b9e85b44c00bbee
- SHA512
  
  c284503f042fed5d1f56042f803e0eb169d7a265ecda70112cc467bf47b879dab756230da0f9f202f0f8cd8841d3ecd49f59fcd2a6fea7cc3e8023e8a4dddd2d
Score

10^/10

quasar sys32 persistence spyware stealer trojan upx
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

quasarsys32persistencespywarestealertrojanupx

behavioral2

quasarsys32persistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy