quasar | 0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f | Triage

Submit
Reports

Overview

overview

Static

static

0a37eef9a7...8f.exe

windows7_x64

0a37eef9a7...8f.exe

windows10-2004_x64

Sharing

General

Target

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
Size

348KB
Sample

220520-fh11vsdehq
MD5

be1958cb2bbcde1fa0ebbdc73a579fff
SHA1

d91235298ccc73a1712407db6ff7b83225e66c82
SHA256

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
SHA512

e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f

Score

10^/10

quasar infected persistence spyware suricata trojan

Static task

static1

infected quasar

Behavioral task

behavioral1

Sample

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe

Resource

win7-20220414-en

quasar infected persistence spyware suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f.exe

Resource

win10v2004-20220414-en

quasar infected persistence spyware suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

INFECTED

C2

mpapwpodllalw:4787

Mutex

QSR_MUTEX_ZHiYRTyEwnDVythpPG

Attributes

encryption_key
JJ24c9vhc2iN2AuqTdrZ
install_name
lclsrv.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Microsoft SMB Filter 2.0
subdirectory
Windows

Targets

- Target
  
  0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
- Size
  
  348KB
- MD5
  
  be1958cb2bbcde1fa0ebbdc73a579fff
- SHA1
  
  d91235298ccc73a1712407db6ff7b83225e66c82
- SHA256
  
  0a37eef9a7a23635bf0bd60529521d44e60fa454a329a81466a657edb442a08f
- SHA512
  
  e70318ed7a80d6f16053a6a0376741774f49889b6cc189ff128f1fa3169c0724d84c649b25086b2420ce4c2222640b9da7974af20074f50054e382bbf639734f
Score

10^/10

quasar infected persistence spyware suricata trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarinfectedpersistencespywaresuricatatrojan

behavioral2

quasarinfectedpersistencespywaresuricatatrojan

© 2018-2024

Terms | Privacy