Malware sandboxing report by Hatching Triage

General

Target

105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
Size

2MB
Sample

230206-y7txysba5y
MD5

b162ab57ef8877c9ab873932e3025039
SHA1

f7f290cf666bc4e8877a5ef09b8ed1ab8291638f
SHA256

105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2
SHA512

13927b2df2e9aeaf601def099b7f006383937f2984344571150a45aad034a85cd13832874c8382a76a8725600cb8439820fb8d691af90f7bf8ce859b8fe1e51d
SSDEEP

24576:EMRpqU3LsGw9tDW06PHAHHeO4ElrkWUZlDd09H7YgngNXN4dXh5nfr2Sd5+ZiTt+:lu95k+X/nT2SdQat/cM7Zcm2

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Pure____1

C2

sabifati.linkpc.net:4784

deli.mywire.org:4784

Attributes

encryption_key
78BC50021362B61652204981B13FE17E053A03F1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
- Size
  
  2MB
- MD5
  
  b162ab57ef8877c9ab873932e3025039
- SHA1
  
  f7f290cf666bc4e8877a5ef09b8ed1ab8291638f
- SHA256
  
  105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2
- SHA512
  
  13927b2df2e9aeaf601def099b7f006383937f2984344571150a45aad034a85cd13832874c8382a76a8725600cb8439820fb8d691af90f7bf8ce859b8fe1e51d
- SSDEEP
  
  24576:EMRpqU3LsGw9tDW06PHAHHeO4ElrkWUZlDd09H7YgngNXN4dXh5nfr2Sd5+ZiTt+:lu95k+X/nT2SdQat/cM7Zcm2
Score

10^/10

quasar pure____1 persistence spyware trojan evasion
- Modifies WinLogon for persistence
  persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Nirsoft
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Service Stop

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies WinLogon for persistence

Quasar RAT

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Nirsoft

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2