quasar | a73e31f73387a5e43157b02f3df6edbebc54ab806dfc53054f4d0e2efbee5d54 | Triage

Submit
Reports

Overview

overview

Static

static

7

QSAR.exe

windows7-x64

QSAR.exe

windows10-2004-x64

Sharing

General

Target

QSAR.exe
Size

3.8MB
Sample

230605-c6h86sfb5v
MD5

b5f2bdcf06aae6c7e55c57fa3bb1233f
SHA1

ae89b4e0ab3042a82f876bca93af1cd51564625a
SHA256

a73e31f73387a5e43157b02f3df6edbebc54ab806dfc53054f4d0e2efbee5d54
SHA512

9b0bc29d4c15c0d18281b543c5e9c7b9ace5aaf65eb13d679ece6178f903e2d8763d037307021e987c68889db12c827ebeebc27848b66608c91481710eebb03a
SSDEEP

49152:dl93YePBeO8qmJmbEhN+TJBDgN8nCfV8ot35mzUNs6P/dXy8KGCz/W2nxLOpavvU:7ye5e4FbDI8sF1s6U8KGoTKIAQphv/Q

Score

10^/10

quasar discord updater evasion spyware themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

QSAR.exe

Resource

win7-20230220-en

quasar discord updater evasion spyware themida trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

QSAR.exe

Resource

win10v2004-20230220-en

quasar discord updater evasion spyware themida trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Discord Updater

C2

34.95.169.39:9000

microsotf.ddns.net:9000

Mutex

159eba35-3396-4041-83ca-f7ae82b4a3c4

Attributes

encryption_key
DD11DD94FCA2BC6D9E7164A7520569590E885EE8
install_name
Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Updater
subdirectory
Discord Updater

Targets

- Target
  
  QSAR.exe
- Size
  
  3.8MB
- MD5
  
  b5f2bdcf06aae6c7e55c57fa3bb1233f
- SHA1
  
  ae89b4e0ab3042a82f876bca93af1cd51564625a
- SHA256
  
  a73e31f73387a5e43157b02f3df6edbebc54ab806dfc53054f4d0e2efbee5d54
- SHA512
  
  9b0bc29d4c15c0d18281b543c5e9c7b9ace5aaf65eb13d679ece6178f903e2d8763d037307021e987c68889db12c827ebeebc27848b66608c91481710eebb03a
- SSDEEP
  
  49152:dl93YePBeO8qmJmbEhN+TJBDgN8nCfV8ot35mzUNs6P/dXy8KGCz/W2nxLOpavvU:7ye5e4FbDI8sF1s6U8KGoTKIAQphv/Q
Score

10^/10

quasar discord updater evasion spyware themida trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

quasardiscord updaterevasionspywarethemidatrojan

behavioral2

quasardiscord updaterevasionspywarethemidatrojan

© 2018-2024

Terms | Privacy