quasar | 722b72dc48a27d091bf8904c3cb4b71613eceaa099122c070a1f16880dcbc5bd | Triage

Submit
Reports

Overview

overview

Static

static

1

dfab2d1e82...ee.exe

windows7-x64

7

dfab2d1e82...ee.exe

windows10-2004-x64

Sharing

General

Target

dfab2d1e82849333afbacbee3c34f3ee
Size

1.5MB
Sample

230320-h9tf7sed6s
MD5

dfab2d1e82849333afbacbee3c34f3ee
SHA1

f5de021e17f4e080302a1a10f8471b3ccccbaba7
SHA256

722b72dc48a27d091bf8904c3cb4b71613eceaa099122c070a1f16880dcbc5bd
SHA512

156ee882e000adca7609e3fd20208abbef501a98cd290f48e1e35aaeb3ff95c1bf45f7f052f689182a37f89de022cb3710d4020c6a542187a629c7846a62e840
SSDEEP

24576:DWmAFubSDY4ImEadU/WnVW+g1koqHEjj075OCRMY9U0qbuoiRLzFwJsB0nUWpvWL:L20tLv/avgGdkjjQuY9UuogVBsUgm

Score

10^/10

quasar 2 spyware trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

dfab2d1e82849333afbacbee3c34f3ee.exe

Resource

win7-20230220-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

dfab2d1e82849333afbacbee3c34f3ee.exe

Resource

win10v2004-20230220-en

quasar 2 spyware trojan upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

2

C2

64.52.80.152:4782

Mutex

rilN1fAD44GAdui4NQWxRcZ5xvcTflQkoO1X

Attributes

encryption_key
Bdpmr7D1QFqfxRDrBKr2
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  dfab2d1e82849333afbacbee3c34f3ee
- Size
  
  1.5MB
- MD5
  
  dfab2d1e82849333afbacbee3c34f3ee
- SHA1
  
  f5de021e17f4e080302a1a10f8471b3ccccbaba7
- SHA256
  
  722b72dc48a27d091bf8904c3cb4b71613eceaa099122c070a1f16880dcbc5bd
- SHA512
  
  156ee882e000adca7609e3fd20208abbef501a98cd290f48e1e35aaeb3ff95c1bf45f7f052f689182a37f89de022cb3710d4020c6a542187a629c7846a62e840
- SSDEEP
  
  24576:DWmAFubSDY4ImEadU/WnVW+g1koqHEjj075OCRMY9U0qbuoiRLzFwJsB0nUWpvWL:L20tLv/avgGdkjjQuY9UuogVBsUgm
Score

10^/10

upx quasar 2 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

quasar2spywaretrojanupx

© 2018-2024

Terms | Privacy