quasar | 127c0abe14197e0930039c56034a86fb8efcd8f4bf882afd07ee1165d7a64c04 | Triage

Submit
Reports

Overview

overview

Static

static

Defender.exe

windows7_x64

1

Defender.exe

windows10-2004_x64

Sharing

General

Target

Defender.exe
Size

1.3MB
Sample

220523-xxc11scgd3
MD5

6cc14968ad421ec8a585a0ae5083feb5
SHA1

fda63e3b59a4c7db0b36d1021c555f8176620970
SHA256

127c0abe14197e0930039c56034a86fb8efcd8f4bf882afd07ee1165d7a64c04
SHA512

7c82183dccd92a64fac5b74705d3b05bd69250f53d169cd288e97b5dd0307ba9c5c953798a09d083e74b14c22bcca93ac40a82afe6bb3f6580e7fba6bcfc8a1f

Score

10^/10

quasar defender spyware suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Defender.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Defender.exe

Resource

win10v2004-20220414-en

quasar defender spyware suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Defender

C2

Lyoni-55552.portmap.host:55552

Mutex

QSR_MUTEX_L46QwMv1pXkGwq53wG

Attributes

encryption_key
z5VmS7ld38qkM79BLAwN
install_name
Defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  Defender.exe
- Size
  
  1.3MB
- MD5
  
  6cc14968ad421ec8a585a0ae5083feb5
- SHA1
  
  fda63e3b59a4c7db0b36d1021c555f8176620970
- SHA256
  
  127c0abe14197e0930039c56034a86fb8efcd8f4bf882afd07ee1165d7a64c04
- SHA512
  
  7c82183dccd92a64fac5b74705d3b05bd69250f53d169cd288e97b5dd0307ba9c5c953798a09d083e74b14c22bcca93ac40a82afe6bb3f6580e7fba6bcfc8a1f
Score

10^/10

quasar defender spyware suricata trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

quasardefenderspywaresuricatatrojan

© 2018-2024

Terms | Privacy