quasar | 17f5902438ae8e7874be0cf1481d689b7cb4555934c0d48321ea085bee137248 | Triage

Sharing

General

Target

HEUR-Backdoor.MSIL.Quasar.gen-17f5902438ae8e7874be0cf1481d689b7cb4555934c0d48321ea085bee137248.exe
Size

144KB
Sample

221228-k9n8lahh36
MD5

7f7fa947c50c3f910aeb0ab971ddbe30
SHA1

fae2adb3424a82d8922e512b823bd85b9e1f9d00
SHA256

17f5902438ae8e7874be0cf1481d689b7cb4555934c0d48321ea085bee137248
SHA512

9966ea045c835e97c93e34f00708e9d1cc88053dd7eb36a0aafe80596f902a51868c6a43a818a3e79e1db341ce69708c0a61da16c4f0c630abaa46c8c7278388
SSDEEP

3072:TW9VDGgVRschltqD7J/+kD5f2VX7X9sYoo:i9VL0GlMD7ImfOXL9ko

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

primary-comment.at.playit.gg:29022

Mutex

OxNTiA3vaw7DPYLLek

Attributes

encryption_key
jhDT0w3MDDqnddR6Tjen
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  HEUR-Backdoor.MSIL.Quasar.gen-17f5902438ae8e7874be0cf1481d689b7cb4555934c0d48321ea085bee137248.exe
- Size
  
  144KB
- MD5
  
  7f7fa947c50c3f910aeb0ab971ddbe30
- SHA1
  
  fae2adb3424a82d8922e512b823bd85b9e1f9d00
- SHA256
  
  17f5902438ae8e7874be0cf1481d689b7cb4555934c0d48321ea085bee137248
- SHA512
  
  9966ea045c835e97c93e34f00708e9d1cc88053dd7eb36a0aafe80596f902a51868c6a43a818a3e79e1db341ce69708c0a61da16c4f0c630abaa46c8c7278388
- SSDEEP
  
  3072:TW9VDGgVRschltqD7J/+kD5f2VX7X9sYoo:i9VL0GlMD7ImfOXL9ko
Score

10^/10

quasar office04 persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04persistencespywaretrojan

behavioral2