quasar | 408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38 | Triage

Submit
Reports

Overview

overview

Static

static

Odeme.exe

windows7-x64

Odeme.exe

windows10-2004-x64

Sharing

General

Target

Odeme.exe
Size

1.8MB
Sample

221110-llf3raaehm
MD5

e40f64fd383df33b756de97b76508dc4
SHA1

8ea35ba8262b532748633d555ef1a5b5fb219562
SHA256

408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
SHA512

cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
SSDEEP

24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G

Score

10^/10

quasar top spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Odeme.exe

Resource

win7-20220812-en

quasar top spyware trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Odeme.exe

Resource

win10v2004-20220812-en

quasar top spyware trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

top

C2

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_NKzsG6279pND1MmPDw

Attributes

encryption_key
6c7zzdS2IXrGaCb9wrMU
install_name
tors.exe
log_directory
Logs
reconnect_delay
5000
startup_key
tdm
subdirectory
tilk

Targets

- Target
  
  Odeme.exe
- Size
  
  1.8MB
- MD5
  
  e40f64fd383df33b756de97b76508dc4
- SHA1
  
  8ea35ba8262b532748633d555ef1a5b5fb219562
- SHA256
  
  408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
- SHA512
  
  cccbbb34e768cab2b4ffeede69536b068e60789738a74f2b6fcc3628ba0b6e89d4b3d2dbc3400e33258505fddbbcefcc02a9eb41acea0822c175dc7a16f17b2f
- SSDEEP
  
  24576:bGHCm8uPdJdbmQGE6GnkKsTgV7OlsUpQpqmjVxMebNVzNFm0TSG:auWBiEHs8VGs0Qsmpyeb32G
Score

10^/10

quasar top spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasartopspywaretrojan

behavioral2

quasartopspywaretrojan

© 2018-2024

Terms | Privacy