quasar | 7558e7249875adbe86b5eaea65fb420e064e17d4d670e50dae20b050166df631 | Triage

Sharing

General

Target

CraxsRatV3.rar
Size

36.7MB
Sample

230302-aklq3aag37
MD5

b9ba8c7725b056b4aa3c88236bfac2f5
SHA1

ea5c105f089989568bf4a8e5cde14342864e027a
SHA256

7558e7249875adbe86b5eaea65fb420e064e17d4d670e50dae20b050166df631
SHA512

f03946fa08820f68ae7fcffb813062d9fab5536e9edf2a4a2fac37627b5ef80a175bd0dc0e401c26d513af6c236243cf54dbc526057decbfaf9cca2f932d9188
SSDEEP

786432:jIvTAn9qN8Nc7aC+0RbjOugvgC3fCGwPciE6Axa2POA+I:jYoC9IueEWfVwb1snOA1

Score

10^/10

quasar agilenet discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Targets

- Target
  
  CraxsRatV3/Craxs-RAT-Builder.exe
- Size
  
  159KB
- MD5
  
  0d1b1c61a083b253810ede683435e6bc
- SHA1
  
  3a1c3f7a2d18d614a76d938d94b3af6f75580d9f
- SHA256
  
  fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb
- SHA512
  
  dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3
- SSDEEP
  
  1536:xdLBmgrojz6evQxNMBO1/pWhvCYbV7/9UtGwy7a37HM1Zgeroy:LUsojiMSBWhvX5C+GQ1J
Score

7^/10

discovery spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2
- Target
  
  CraxsRatV3/Tools/HVNC-Server.exe
- Size
  
  112KB
- MD5
  
  2bc558b0cf60f8c5a17d16299e07a030
- SHA1
  
  9a6a53a088cdbab38201b11015e58aacb85e1dc6
- SHA256
  
  83178407d4761df1439304df2f08ec6df4e216986fab12590b6339186291b591
- SHA512
  
  21ed30fb07a670ca4cf44527d34d201735dac1a9c23e7cc709983c3dbff75cdeec8380c2fe795270fd77203fa9e59b34a324acdb0815c8654b819269e52d9ce8
- SSDEEP
  
  3072:cl/0Gw9hSR3UFqhHe9Z0SZDz4PUF8FaBh3:cl8GjtChHh3
Score

1^/10
behavioral3 behavioral4
- Target
  
  CraxsRatV3/Tools/ResHacker.exe
- Size
  
  1.0MB
- MD5
  
  d285a10c73da68b027951a2038a7ae0d
- SHA1
  
  e3e5712df92ed49d6cd429799e6e557af093da06
- SHA256
  
  aeeac91ca85c59309a8d6f7109a84e1ee6d4817498417373e7c3c93dac7bb1e5
- SHA512
  
  150b47f6b4ab2c33c818843ddf30562c85055c1be5bbda7bc347bf36116b4d8d8f7b78303342e9eb667facd37a841eb7d930de325f25d170b680e97f8dfed48e
- SSDEEP
  
  24576:XS9wlTzi2gQO1PMV2DCHAJ2glv9fJVOYfJSzaSArbz2jQOS/:C9ijgQO1PMDozYAPz2UN/
Score

1^/10
behavioral5 behavioral6
- Target
  
  CraxsRatV3/Tools/vncviewer.exe
- Size
  
  1.5MB
- MD5
  
  b8d15cd10f1e9ff6adeae64fbbeb755b
- SHA1
  
  f962549e42b58a056b11a9ba9750a30bc76844d7
- SHA256
  
  823168f7ff268a96aa80d915d946411ef214e7597c73312b19f9723d704b1396
- SHA512
  
  1478c76b08a8aa9cf9db927ea371c192ade81d8e27d394613f05aa60011fa8bc46ada115ab4c8c9aa75fcf86dbb62f7089a211f58270c984a204c91465cd07af
- SSDEEP
  
  24576:Jj/05kjHhc0Vo68/RWyVae30Zh6FSCTpf2kveQn5poM5lcOBo:JY5kdc0G68/RVoe3+MTZ2kFroM5lxBo
Score

1^/10
behavioral7 behavioral8
- Target
  
  CraxsRatV3/cGeoIp.dll
- Size
  
  2.3MB
- MD5
  
  6d6e172e7965d1250a4a6f8a0513aa9f
- SHA1
  
  b0fd4f64e837f48682874251c93258ee2cbcad2b
- SHA256
  
  d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
- SHA512
  
  35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
- SSDEEP
  
  24576:TRgJE8pkCLLe/K43EnnnclQwIqJY0OjklWXQMFBRpmkL/59ah0USm3uwl00odi9p:TRgfX/59a6USdi9Ues6bV6boLO6r
Score

1^/10
behavioral10 behavioral9
- Target
  
  CraxsRatV3/client.bin
- Size
  
  904KB
- MD5
  
  b0e8ff9dd5453104b5b868262fd7a164
- SHA1
  
  f33424612617cb6fa9bdc2327c6e70f29d189bd4
- SHA256
  
  82f35cefdffb27759bf8665c9b997401c5df88e631531a4fd2cfee456f84246e
- SHA512
  
  fee5032e8d5956ed6fcf1d167118a9ac19dd4b251c57689eb5596161c263d84dca62bf1fb708f1dfe9773716943109db93efccabd3db87037cfb95acd3768f1c
- SSDEEP
  
  12288:mreLatt+487Ti+XVPJTtnBLF/5DJcTYTTups0MJ2XOtXwlkXbPkooLo:aej487Ti+XVPJTtnBLF/5DJ/lXwlkZf
Score

10^/10

quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
behavioral11 behavioral12
- Target
  
  CraxsRatV3/netstandard.dll
- Size
  
  96KB
- MD5
  
  0adf6f32f4d14f9b0be9aa94f7efb279
- SHA1
  
  68e1af02cddd57b5581708984c2b4a35074982a3
- SHA256
  
  8be4a2270f8b2bea40f33f79869fdcca34e07bb764e63b81ded49d90d2b720dd
- SHA512
  
  f81ac2895048333ac50e550d2b03e90003865f18058ce4a1dfba9455a5bda2485a2d31b0fdc77f6cbdfb1bb2e32d9f8ab81b3201d96d56e060e4a440719502d6
- SSDEEP
  
  1536:Q2Ec05j4eAH64rh5fSt5T9nFcI94WiVQTjpu:nlK4eA7mDmWqQXpu
Score

1^/10
behavioral13 behavioral14
- Target
  
  CraxsRatV3/resource/data.dat
- Size
  
  6.5MB
- MD5
  
  a21db5b6e09c3ec82f048fd7f1c4bb3a
- SHA1
  
  e7ffb13176d60b79d0b3f60eaea641827f30df64
- SHA256
  
  67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
- SHA512
  
  7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
- SSDEEP
  
  98304:KAc94bqa9niwFYWLqDuTTTTTTdfPPpWLq+Guf2W2b6F72q0:KAcC9iwFYWuDCPPpWu+GduZ2L
Score

1^/10
behavioral15 behavioral16

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryspywarestealer

behavioral2

discoveryspywarestealer

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

quasarspywaretrojan

behavioral12

quasarspywaretrojan

behavioral13

behavioral14

behavioral15

behavioral16