quasar | d90d108900ca928c0e23563af58973e560594b0c7695a990f3fdcbfdfcf56ffa | Triage

Submit
Reports

Overview

overview

Static

static

3

Capture_de...12.exe

windows7-x64

3

Capture_de...12.exe

windows10-2004-x64

Sharing

General

Target

Capture_decran_2023-05-30_a_19.07.12.exe
Size

201KB
Sample

230609-v9flkacg63
MD5

ef323891840b80c94f2e6f5d833e5766
SHA1

ee3ef64ce080ed9cb1cde9fc6a7c87153023809b
SHA256

d90d108900ca928c0e23563af58973e560594b0c7695a990f3fdcbfdfcf56ffa
SHA512

1348c54746db626833580748e7d17250f4aa66eb7142902d74942319a61d00b94087728f6d09edfead667124a3f0049e41d27adc16d64702ad5653a543111d68
SSDEEP

1536:37f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIfegIxaZxBF+DNQAhGZ3Qp7n:rliUPXC8k1nJrX+fNTBfugr+DmZoonG

Score

10^/10

quasar office04 spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Capture_decran_2023-05-30_a_19.07.12.exe

Resource

win7-20230220-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

Capture_decran_2023-05-30_a_19.07.12.exe

Resource

win10v2004-20230220-en

quasar office04 spyware trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

ratcentho.ddns.net:1604

Mutex

a48091b5-8649-4186-b51d-37847b346bbb

Attributes

encryption_key
E111C166FC0FC5E69CF243BDE5027B1BBD76712A
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
csrss
subdirectory
SubDir

Targets

- Target
  
  Capture_decran_2023-05-30_a_19.07.12.exe
- Size
  
  201KB
- MD5
  
  ef323891840b80c94f2e6f5d833e5766
- SHA1
  
  ee3ef64ce080ed9cb1cde9fc6a7c87153023809b
- SHA256
  
  d90d108900ca928c0e23563af58973e560594b0c7695a990f3fdcbfdfcf56ffa
- SHA512
  
  1348c54746db626833580748e7d17250f4aa66eb7142902d74942319a61d00b94087728f6d09edfead667124a3f0049e41d27adc16d64702ad5653a543111d68
- SSDEEP
  
  1536:37f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIfegIxaZxBF+DNQAhGZ3Qp7n:rliUPXC8k1nJrX+fNTBfugr+DmZoonG
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

quasaroffice04spywaretrojan

© 2018-2024

Terms | Privacy