quasar | 858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b | Triage

Submit
Reports

Overview

overview

Static

static

8

Estado de cuenta.xls

windows7-x64

1

Estado de cuenta.xls

windows10-2004-x64

Sharing

General

Target

Estado de cuenta.xls
Size

369KB
Sample

221127-vs5t5ahe7x
MD5

f5a8b72709235c68196a397174152660
SHA1

ab863a70358f150e3f0da53c330f7226d46037f4
SHA256

858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b
SHA512

f3b247cbec98ea8423358b589dde1fb5ea17b66efe169e68536cf901f9309e34c3f9883125fd153908150ae680292987b286ede90b461875ac0557ba368579f1
SSDEEP

6144:exEtjPOtioVjDGUU1qfDlavx+W2QnAbwYqzklWhUPheJl7Gpe8Kg2nOQcSRWQSSL:GwYqzklavDiknOfySloh16I

Score

10^/10

quasar hop macro macro_on_action persistence spyware trojan

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

Estado de cuenta.xls

Resource

win7-20220812-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

Estado de cuenta.xls

Resource

win10v2004-20220812-en

quasar hop persistence spyware trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

hop

C2

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_gKkre5ge46OKHHYV4m

Attributes

encryption_key
MWS1P9A8h60dOGbuRmwt
install_name
hvc.exe
log_directory
Logs
reconnect_delay
4000
startup_key
hrr
subdirectory
hik

Targets

- Target
  
  Estado de cuenta.xls
- Size
  
  369KB
- MD5
  
  f5a8b72709235c68196a397174152660
- SHA1
  
  ab863a70358f150e3f0da53c330f7226d46037f4
- SHA256
  
  858963fa777ab0af515f7a81ff5ce29ffdda5361c67137cf0be35095bc7f1d9b
- SHA512
  
  f3b247cbec98ea8423358b589dde1fb5ea17b66efe169e68536cf901f9309e34c3f9883125fd153908150ae680292987b286ede90b461875ac0557ba368579f1
- SSDEEP
  
  6144:exEtjPOtioVjDGUU1qfDlavx+W2QnAbwYqzklWhUPheJl7Gpe8Kg2nOQcSRWQSSL:GwYqzklavDiknOfySloh16I
Score

10^/10

quasar hop persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

quasarhoppersistencespywaretrojan

© 2018-2024

Terms | Privacy