quasar | 7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7 | Triage

Submit
Reports

Overview

overview

Static

static

1

Recrypted.exe

windows7-x64

Recrypted.exe

windows10-2004-x64

Sharing

General

Target

Recrypted.pif
Size

2.9MB
Sample

230309-jn2q5abb93
MD5

68a23c2fc62bddad0a2c6cf36003577b
SHA1

67a19bf734520933adfa28afc017c3af1d6a3d5b
SHA256

7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7
SHA512

0386671ee83c0825f80a0c95b4e21eb23054878546aff5d8ef63a3bcc6a32c53a61397009aee8e8c5fc171b1ed0e9b69a31111eb1b860e1ff67264fcac806cef
SSDEEP

24576:plubLwtFDS7FYNYD7264xnRhc/LSXxH227hqRCeFcOziFJLUfdKTgWA22222222:gZ7h4xnRhcGXxHxOqdq1pup

Score

10^/10

quasar success persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Recrypted.exe

Resource

win7-20230220-en

quasar success persistence spyware trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Recrypted.exe

Resource

win10v2004-20230220-en

quasar success persistence spyware trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

C2

41.185.97.216:4782

Mutex

MUTEX_QAxMFzrXWG2cbIHPGK

Attributes

encryption_key
4DwUV8AnxPgmXSMeThKb
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
cmd
subdirectory
SubDir

Targets

- Target
  
  Recrypted.pif
- Size
  
  2.9MB
- MD5
  
  68a23c2fc62bddad0a2c6cf36003577b
- SHA1
  
  67a19bf734520933adfa28afc017c3af1d6a3d5b
- SHA256
  
  7a6db8aecc2376ec7dfc50085757841523fb69135e364b70c7319bf7a39209d7
- SHA512
  
  0386671ee83c0825f80a0c95b4e21eb23054878546aff5d8ef63a3bcc6a32c53a61397009aee8e8c5fc171b1ed0e9b69a31111eb1b860e1ff67264fcac806cef
- SSDEEP
  
  24576:plubLwtFDS7FYNYD7264xnRhc/LSXxH227hqRCeFcOziFJLUfdKTgWA22222222:gZ7h4xnRhcGXxHxOqdq1pup
Score

10^/10

quasar success persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasarsuccesspersistencespywaretrojan

behavioral2

quasarsuccesspersistencespywaretrojan

© 2018-2024

Terms | Privacy