quasar | 1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746

General

Target

1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746
Size

1.3MB
Sample

220607-x5d82saaa9
MD5

3522dc4a208a91f7042864ce15bc1398
SHA1

0d29e13a249fa713570418d5e1b306e59f4c7ea5
SHA256

1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746
SHA512

a2559e23bdf8791bd570842e70836319978214944c62065dc8ef67125ccd12ee37d9a82939fc8c62b8ec2913c993e0abf231c5f7e539e5bf2df6501ec4d99602

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

ZA ZA ZA ZA ZA ZAZA ZA ZA ZA ZA ZA

C2

94.242.224.249:222

Mutex

XxAa8FrSbGrHTm2bMoPtlPlHQKoAB4XGedNm

Attributes

encryption_key
Sj0W6u9cP4lwm6yCywzP
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746
- Size
  
  1.3MB
- MD5
  
  3522dc4a208a91f7042864ce15bc1398
- SHA1
  
  0d29e13a249fa713570418d5e1b306e59f4c7ea5
- SHA256
  
  1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746
- SHA512
  
  a2559e23bdf8791bd570842e70836319978214944c62065dc8ef67125ccd12ee37d9a82939fc8c62b8ec2913c993e0abf231c5f7e539e5bf2df6501ec4d99602
Score

10^/10

persistence quasar za za za za za zaza za za za za za spyware suricata trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar Payload

Quasar RAT

suricata: ET MALWARE Common RAT Connectivity Check Observed

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2