Overview

overview

10

Static

static

3cae11d638...1a.exe

windows7_x64

10

3cae11d638...1a.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a

  • Size

    628KB

  • Sample

    220525-cpcp3afhh6

  • MD5

    2ca449f58a5f5c95541640a52e611180

  • SHA1

    3159a573bf68b83c2f19c9d0c738f8995a8d9147

  • SHA256

    3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a

  • SHA512

    9674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091

Score
10/10
quasaroffice04evasionrezer0spywaresuricatatrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

118.208.43.110:9991

118.208.43.110:9992

118.208.43.110:9993

118.208.43.110:9994

118.208.43.110:9995

118.208.43.110:10000

118.208.43.110:9000
Mutex

QSR_MUTEX_wm8imRtp10eDcwBwM1

Attributes
  • encryption_key

    CLr3aJXqYhM5uP8HVkUg

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a

    • Size

      628KB

    • MD5

      2ca449f58a5f5c95541640a52e611180

    • SHA1

      3159a573bf68b83c2f19c9d0c738f8995a8d9147

    • SHA256

      3cae11d6380b043b5564154e5afcbe5df33a76d9b1abd77ffa453300d72f771a

    • SHA512

      9674de07081da790be80096e7075dc69defcd6fc3fbc8688eb745087111c84afc8917034d4d07c7aa86583833d4f43e98d5a127d08f2dbce273431308b65c091

    Score
    10/10
    quasaroffice04evasionrezer0spywaresuricatatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks