quasar | 0364dd00aca1c715d27ee39db28962940b16b012a8cfd2e5fc3a59dae8f38a50 | Triage

Submit
Reports

Overview

overview

Static

static

8

99a2af2b1d...3.xlsm

windows7-x64

99a2af2b1d...3.xlsm

windows10-2004-x64

Sharing

General

Target

99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.zip
Size

39KB
Sample

230321-r3x1gsbd56
MD5

2a7d306aa35b253e36f4c5fbdd5ab148
SHA1

e1eaed164cb033f466168efd933e4d0b4a683a1b
SHA256

0364dd00aca1c715d27ee39db28962940b16b012a8cfd2e5fc3a59dae8f38a50
SHA512

f6e6d59818910b0315a5da48402b65d4c1bf835deaa8c4b007c64089c98370f75740c517d50eccef919fbb3d381f44b4b6a42fa20d70a7879890119063edd924
SSDEEP

768:08f0r2dczmaIr36Y3AX9EjTqX/KoyZqPeEg5etbYqq4dKvZtxe0:p0r2eVIuYc9STqXyoygPWlL4ohW0

Score

10^/10

quasar success macro persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.xlsm

Resource

win7-20230220-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.xlsm

Resource

win10v2004-20230220-en

quasar success persistence spyware trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

SUCCESS

C2

41.185.97.216:4782

Mutex

MUTEX_QAxMFzrXWG2cbIHPGK

Attributes

encryption_key
4DwUV8AnxPgmXSMeThKb
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
cmd
subdirectory
SubDir

Targets

- Target
  
  99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93.xlsm
- Size
  
  42KB
- MD5
  
  edef1e97fcca56228c1956db6b514f55
- SHA1
  
  00d1bb1cf96aee9a21508b23f6ac113153131b1c
- SHA256
  
  99a2af2b1d39d3ca267095cc733dd5e285b40b9c6b1709d34dbb213387c8df93
- SHA512
  
  ba718485a68b2a9f5c134e186309dae1d169c22fcc15a4d028121df564fd64a9805e3d31a7edf82279b371c883721dc4d8accc2a3fe02ab3b841cd184b7aa236
- SSDEEP
  
  768:WrvDK4vwssnjS7zWl2BIJYfTH+niSpwvDHvDv+nWfFFiKk/f1qtfHF7RT+nsFf:ivXvwTjSul2G1BoTvDv+0FFi3/dqJl7Z
Score

10^/10

quasar success persistence spyware trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

quasarsuccesspersistencespywaretrojan

© 2018-2024

Terms | Privacy