quasar | 46bac1db5da211b56dd46d88afd80b378fa4cf47a75a3e05920db4fe9dd24fd5

General

Target

Dox_Tool_V3_Cracked.rar
Size

1.6MB
Sample

230530-2tbq1abh95
MD5

18683f6c7304589153f7c317ad6fb0d6
SHA1

d10f08d059ba9793204ef8c77220738af480da22
SHA256

46bac1db5da211b56dd46d88afd80b378fa4cf47a75a3e05920db4fe9dd24fd5
SHA512

569c4c7c68813c695666427c4523e157bd2253a0e71d321f35b6fecf71f6f91a24371484cc72a7bbb1f5996f47b824365cbd0e5168b49e1a7c1f2f514c1d5009
SSDEEP

49152:47oG4dTLfbeI2n38cQQcZKvXFTcvWmpHOrkXfTs:VkncsvVTcvWmpH6kPTs

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

192.168.1.11:4782

Mutex

QSR_MUTEX_f39lWqYnYtP5YngtM5

Attributes

encryption_key
c5q7P5jsfrwN6nB5c3mG
install_name
SystemUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Targets

- Target
  
  Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked.exe
- Size
  
  207KB
- MD5
  
  6c206cadf297a02c0af977c65637a166
- SHA1
  
  7d382b1e6cefd120f9d87f894e14088e18d01c73
- SHA256
  
  f4f78f44719af71a363bd50107840f53f8eebf3190505c10bac2cf7be3c29e59
- SHA512
  
  2672ae02fb6b768861f469556f9818fd84866d62122f243309b5f2d13c4c907b6555e968bfb4b10cd48188fe3b2182b15ee7f425ddd14835b483d0dfe721b515
- SSDEEP
  
  3072:a4lci2Fg23Ii0qLTqBGsx/2JNRnvcXCevyLNgtlr:a6ci8giNLZW2HRnvKClg
Score

10^/10

quasar office04 discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1
- Target
  
  Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/data/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  Dox Tool V3 Cracked/Dox Tool V3 Cracked/Dox Tool V3 Cracked/data/doxsys.exe
- Size
  
  1.0MB
- MD5
  
  8f36caf603f3f2b192c5fd06a8e3c699
- SHA1
  
  44f387152ee1fb02a83ed0be5e942fd4a733e235
- SHA256
  
  0ca828c630091173cafd2663393888849459fbc9581d1fd062567d0afdf79a38
- SHA512
  
  9df012c7420a4f6224907a8ac1e3293985b30c9ff829ecc9cdeea56fdcaa1c46d8e131fdd9b525e6af092065a29401c11f24390ba30969e9f3ab7e60e094dcba
- SSDEEP
  
  12288:GNTWV+v54B9H+hyf2SF6L6D5hKMzPg9e0oEPABi:GWVa4bHwkSYa4gk0omA
Score

10^/10

quasar office04 discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral3