quasar | 5cd433402b80eb5c05b6bdfaaacea035e50dc3ae0e9781d2b8c725401621ee51 | Triage

Submit
Reports

Overview

overview

Static

static

1

yandi.exe

windows7-x64

yandi.exe

windows10-2004-x64

8

Sharing

General

Target

yandi.exe
Size

27.0MB
Sample

230316-a8qd6aad9z
MD5

628ef85da2276618c00a61794d9b0ae8
SHA1

6ea6b2c1eb84bcab7cc07608efd130c0fd2dec0a
SHA256

5cd433402b80eb5c05b6bdfaaacea035e50dc3ae0e9781d2b8c725401621ee51
SHA512

66a82e37d32edb84c106b4ff013359ba1409c2d24db524b0ee8f9983801c92fc9ca98ae5cf0689405d35a3b2c0bfc9c6ff63353f6f56393c3b94a67f57175fb6
SSDEEP

192:5ucYR8AtNdPZ6Gygw2NSbzphrUG+5Ar5WIhjWN69vXHcVS6LokMaYalvVp+pGdRt:uR8AtNdPZ6Gy24zTeqvXdkMcHggnOlu

Score

10^/10

quasar stealerium bigfis spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

yandi.exe

Resource

win7-20230220-en

quasar stealerium bigfis spyware stealer themida trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

yandi.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1033886426409996369/deZ7UCSWZhAXaAdSXmn9OTdcTs1FBytKGyMGCW0hcz2kUH1sES6uBY16PqykOZUlgt_z

Extracted

Family

quasar

Version

1.4.0

Botnet

bigfis

C2

craciton.duckdns.org:7771

dashmicrosoft.duckdns.org:7771

microsing.duckdns.org:7771

glare.hadaw.ml:20872

Mutex

587b7d5c-0131-4b8d-880d-662f0a9f65fa

Attributes

encryption_key
2C0C62BDD42E42BC77F98F8E1EE713B43F791267
install_name
WindowsServe.exe
log_directory
MicrosoftEnlightenment
reconnect_delay
101
startup_key
Microsoft Helper
subdirectory
WindowsSDTR

Targets

- Target
  
  yandi.exe
- Size
  
  27.0MB
- MD5
  
  628ef85da2276618c00a61794d9b0ae8
- SHA1
  
  6ea6b2c1eb84bcab7cc07608efd130c0fd2dec0a
- SHA256
  
  5cd433402b80eb5c05b6bdfaaacea035e50dc3ae0e9781d2b8c725401621ee51
- SHA512
  
  66a82e37d32edb84c106b4ff013359ba1409c2d24db524b0ee8f9983801c92fc9ca98ae5cf0689405d35a3b2c0bfc9c6ff63353f6f56393c3b94a67f57175fb6
- SSDEEP
  
  192:5ucYR8AtNdPZ6Gygw2NSbzphrUG+5Ar5WIhjWN69vXHcVS6LokMaYalvVp+pGdRt:uR8AtNdPZ6Gy24zTeqvXdkMcHggnOlu
Score

10^/10

quasar stealerium bigfis spyware stealer themida trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarstealeriumbigfisspywarestealerthemidatrojan

behavioral2

© 2018-2024

Terms | Privacy