Overview

overview

10

Static

static

1b37a29659...46.exe

windows7_x64

8

1b37a29659...46.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746

  • Size

    1.3MB

  • Sample

    220607-x5d82saaa9

  • MD5

    3522dc4a208a91f7042864ce15bc1398

  • SHA1

    0d29e13a249fa713570418d5e1b306e59f4c7ea5

  • SHA256

    1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746

  • SHA512

    a2559e23bdf8791bd570842e70836319978214944c62065dc8ef67125ccd12ee37d9a82939fc8c62b8ec2913c993e0abf231c5f7e539e5bf2df6501ec4d99602

Score
10/10
quasar za za za za za zaza za za za za zapersistencespywaresuricatatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

ZA ZA ZA ZA ZA ZAZA ZA ZA ZA ZA ZA

C2

94.242.224.249:222

Mutex

XxAa8FrSbGrHTm2bMoPtlPlHQKoAB4XGedNm

Attributes
  • encryption_key

    Sj0W6u9cP4lwm6yCywzP

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Targets

    • Target

      1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746

    • Size

      1.3MB

    • MD5

      3522dc4a208a91f7042864ce15bc1398

    • SHA1

      0d29e13a249fa713570418d5e1b306e59f4c7ea5

    • SHA256

      1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746

    • SHA512

      a2559e23bdf8791bd570842e70836319978214944c62065dc8ef67125ccd12ee37d9a82939fc8c62b8ec2913c993e0abf231c5f7e539e5bf2df6501ec4d99602

    Score
    10/10
    persistencequasar za za za za za zaza za za za za zaspywaresuricatatrojan

    • Quasar Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata: ET MALWARE Common RAT Connectivity Check Observed

      suricata

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks