quasar | 996afa4a4194a60b56825e8589b8cd028cb593f6a619370c15ec04fa2659e500 | Triage

Submit
Reports

Overview

overview

Static

static

Vanta-Fn.exe

windows7-x64

Vanta-Fn.exe

windows10-2004-x64

Sharing

General

Target

Vanta-Fn.exe
Size

3.1MB
Sample

230322-thkwjabf9z
MD5

d41852e4e97ade129efe94cf773d10ff
SHA1

f999477106a8ea6506905abe6effe054c8e3db3b
SHA256

996afa4a4194a60b56825e8589b8cd028cb593f6a619370c15ec04fa2659e500
SHA512

4862f158153d25647901195e6f294bdb1c13ad8ffcaebe000f702f5c1fa49e631b04830baa27e172acf58b1bacbbefb3f99bf6a5d44d90ec21e3b8d9a20ee8cf
SSDEEP

49152:iv4hBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaGRepECs+k/iLkoGdQTHHB72eh2NT:ivqt2d5aKCuVPzlEmVQ0wvwfGReNg

Score

10^/10

quasar office04 evasion spyware stealer themida trojan

Static task

static1

office04 quasar

2 signatures

Behavioral task

behavioral1

Sample

Vanta-Fn.exe

Resource

win7-20230220-en

quasar office04 spyware trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

Vanta-Fn.exe

Resource

win10v2004-20230220-en

quasar office04 evasion spyware stealer themida trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

connorb839-25244.portmap.host:25244

Mutex

f2898513-d005-492e-9b72-aa39b77b1a27

Attributes

encryption_key
8CC861C5A1B05D3DCE95956911FE36B8D1042D36
install_name
Epic web repair tool.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Epic web repair
subdirectory
Epicwebservicesltd

Targets

- Target
  
  Vanta-Fn.exe
- Size
  
  3.1MB
- MD5
  
  d41852e4e97ade129efe94cf773d10ff
- SHA1
  
  f999477106a8ea6506905abe6effe054c8e3db3b
- SHA256
  
  996afa4a4194a60b56825e8589b8cd028cb593f6a619370c15ec04fa2659e500
- SHA512
  
  4862f158153d25647901195e6f294bdb1c13ad8ffcaebe000f702f5c1fa49e631b04830baa27e172acf58b1bacbbefb3f99bf6a5d44d90ec21e3b8d9a20ee8cf
- SSDEEP
  
  49152:iv4hBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaGRepECs+k/iLkoGdQTHHB72eh2NT:ivqt2d5aKCuVPzlEmVQ0wvwfGReNg
Score

10^/10

quasar office04 spyware trojan evasion stealer themida
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasaroffice04spywaretrojan

behavioral2

quasaroffice04evasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy