quasar | 5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2 | Triage

Submit
Reports

Overview

overview

Static

static

5660953fe6...d2.exe

windows7-x64

5660953fe6...d2.exe

windows10-2004-x64

Sharing

General

Target

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
Size

349KB
Sample

220725-eatq5sdecr
MD5

94cb4509fbc7d4a000a35094532b2dc6
SHA1

e3a609c58c08a2d34f6f384b40dcf5df0c361c39
SHA256

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
SHA512

7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3

Score

10^/10

quasar matei spyware suricata trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe

Resource

win7-20220718-en

quasar matei spyware suricata trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2.exe

Resource

win10v2004-20220721-en

quasar matei spyware suricata trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Matei

C2

getrektscrub.hopto.org:4782

Mutex

QSR_MUTEX_KkiFVxzP7AThmUYEE7

Attributes

encryption_key
g4oiMoBrx37SHLCg4wcA
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Targets

- Target
  
  5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
- Size
  
  349KB
- MD5
  
  94cb4509fbc7d4a000a35094532b2dc6
- SHA1
  
  e3a609c58c08a2d34f6f384b40dcf5df0c361c39
- SHA256
  
  5660953fe603b60d33cde0535a62dd597da2ed3fd1c07a9b08c7263e28c615d2
- SHA512
  
  7666036e3fbf7ad872f4bb9d5bc4761e4a4d4ce8cf6bd286b19da9a4496b970403852e6bf79ac26d1763c3206aeeecd491724d725fa342ede0e079149d329bc3
Score

10^/10

quasar matei spyware suricata trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
  suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
  suricata
- suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarmateispywaresuricatatrojan

behavioral2

quasarmateispywaresuricatatrojan

© 2018-2024

Terms | Privacy