quasar | 6dace0bce0139f7a90be79aaa73a97df7903fc31ddbed4ba16a7712e0d20a9d7 | Triage

Submit
Reports

Overview

overview

Static

static

8

1.xlsm

windows7-x64

1.xlsm

windows10-2004-x64

Sharing

General

Target

1.xlsm
Size

42KB
Sample

230127-la1m1sbe5t
MD5

9567cc095b840a0156939bd14bd60d1b
SHA1

bc066fb87caf1ea2dd5e710210a40371f83945b5
SHA256

6dace0bce0139f7a90be79aaa73a97df7903fc31ddbed4ba16a7712e0d20a9d7
SHA512

434558080df7752ee37bf738f3e73abff7f1f19c43dd9f99f7d5623caedcb9fd70c798922798d0b00ee23bf8b824ce5c972602cb96f8bb7e9899e8bcd7554be6
SSDEEP

768:RZvptTvBssn/24oBIJYfTH+niSpFvDHz0v+nW6FFiKk/fGqtCAwgRy+nQ+1N:bvHvBTfoG1BnTz0v+hFFi3/eqE5gzQ+f

Score

10^/10

quasar success macro persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1.xlsm

Resource

win7-20220901-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

1.xlsm

Resource

win10v2004-20220812-en

quasar success persistence spyware trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

C2

41.185.97.216:4782

Mutex

MUTEX_QAxMFzrXWG2cbIHPGK

Attributes

encryption_key
JRUJdiIOmPJ5LlsFaVs9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
cmd
subdirectory
SubDir

Targets

- Target
  
  1.xlsm
- Size
  
  42KB
- MD5
  
  9567cc095b840a0156939bd14bd60d1b
- SHA1
  
  bc066fb87caf1ea2dd5e710210a40371f83945b5
- SHA256
  
  6dace0bce0139f7a90be79aaa73a97df7903fc31ddbed4ba16a7712e0d20a9d7
- SHA512
  
  434558080df7752ee37bf738f3e73abff7f1f19c43dd9f99f7d5623caedcb9fd70c798922798d0b00ee23bf8b824ce5c972602cb96f8bb7e9899e8bcd7554be6
- SSDEEP
  
  768:RZvptTvBssn/24oBIJYfTH+niSpFvDHz0v+nW6FFiKk/fGqtCAwgRy+nQ+1N:bvHvBTfoG1BnTz0v+hFFi3/eqE5gzQ+f
Score

10^/10

quasar success persistence spyware trojan
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

quasarsuccesspersistencespywaretrojan

© 2018-2024

Terms | Privacy