quasar | 00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25 | Triage

Submit
Reports

Overview

overview

Static

static

26aba4e9a0...88.exe

windows7-x64

26aba4e9a0...88.exe

windows10-2004-x64

Sharing

General

Target

26aba4e9a028a23c065ce9611c164288.exe
Size

2.8MB
Sample

220925-a2bx7aceg6
MD5

26aba4e9a028a23c065ce9611c164288
SHA1

58bc1e70429c58615863e1704d3a6b575fab767f
SHA256

00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25
SHA512

0db32f58a5d54d04bd3ca60111b3963a50741893a16325a2f3bbeba237fc280fa6f3c63d054d5b9cef0443e8e5ed1de38e4a459c3e7f0c3be4d0a054e08b5095
SSDEEP

49152:ZfjG7SXx1c7V1tgRk5ysKxqEDtIupA7f/za32ehyfT36Dq2w:ZfSSB1c7V1yypKxq1ubw

Score

10^/10

quasar office04 persistence spyware trojan

Static task

static1

office04 quasar

2 signatures

Behavioral task

behavioral1

Sample

26aba4e9a028a23c065ce9611c164288.exe

Resource

win7-20220812-en

quasar office04 persistence spyware trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

26aba4e9a028a23c065ce9611c164288.exe

Resource

win10v2004-20220812-en

quasar office04 persistence spyware trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

39.107.242.96:47820

Mutex

fda87a73-83f3-4200-85c4-d2289eb5f51f

Attributes

encryption_key
38F957A7714EBE6FC27E56C6EAB8BADC987F5E2B
install_name
Windows Search.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsSearchPrograms
subdirectory
WindowsSearch

Targets

- Target
  
  26aba4e9a028a23c065ce9611c164288.exe
- Size
  
  2.8MB
- MD5
  
  26aba4e9a028a23c065ce9611c164288
- SHA1
  
  58bc1e70429c58615863e1704d3a6b575fab767f
- SHA256
  
  00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25
- SHA512
  
  0db32f58a5d54d04bd3ca60111b3963a50741893a16325a2f3bbeba237fc280fa6f3c63d054d5b9cef0443e8e5ed1de38e4a459c3e7f0c3be4d0a054e08b5095
- SSDEEP
  
  49152:ZfjG7SXx1c7V1tgRk5ysKxqEDtIupA7f/za32ehyfT36Dq2w:ZfSSB1c7V1yypKxq1ubw
Score

10^/10

quasar office04 persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasaroffice04persistencespywaretrojan

behavioral2

quasaroffice04persistencespywaretrojan

© 2018-2024

Terms | Privacy