quasar | d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f | Triage

Submit
Reports

Overview

overview

Static

static

d0e1019396...2f.exe

windows7-x64

d0e1019396...2f.exe

windows10-2004-x64

Sharing

General

Target

d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
Size

786KB
Sample

220725-et6j2sedhl
MD5

0acf6ea8ea82fd3aae0da111f91e0052
SHA1

7a04c82c0081741a3fe211a7eda63584937ddea5
SHA256

d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
SHA512

da5d1d3cd47af8e66bc21ba33bc66782474c728a009f78b6040350107ffa4a8075bf6c0c70e383db62ab5e7ee7de681bf52f7d24bb0174cc8802e320505ced57

Score

10^/10

quasar wallets persistence spyware suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe

Resource

win7-20220718-en

quasar wallets persistence spyware suricata trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f.exe

Resource

win10v2004-20220721-en

quasar wallets persistence spyware suricata trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Wallets

C2

mailsdc61.ga:5490

Mutex

QSR_MUTEX_AlGzVdofAbXTg5UjU1

Attributes

encryption_key
kjsUY5tlvrmAWR8ZxfU3
install_name
skype.exe
log_directory
Logs
reconnect_delay
3000
startup_key
skype
subdirectory
AppData

Targets

- Target
  
  d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
- Size
  
  786KB
- MD5
  
  0acf6ea8ea82fd3aae0da111f91e0052
- SHA1
  
  7a04c82c0081741a3fe211a7eda63584937ddea5
- SHA256
  
  d0e1019396782435f18448f916bbd03371d132965538f9244f726ff240a6582f
- SHA512
  
  da5d1d3cd47af8e66bc21ba33bc66782474c728a009f78b6040350107ffa4a8075bf6c0c70e383db62ab5e7ee7de681bf52f7d24bb0174cc8802e320505ced57
Score

10^/10

quasar wallets persistence spyware suricata trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarwalletspersistencespywaresuricatatrojan

behavioral2

quasarwalletspersistencespywaresuricatatrojan

© 2018-2024

Terms | Privacy