quasar | d580d7cf10f4eb1cd8aa0cbf80c30f832a0f052c33cdc3d1cf3710e6b67528a8 | Triage

Submit
Reports

Overview

overview

Static

static

Remote Adm...ol.exe

windows7-x64

Remote Adm...ol.exe

windows10-2004-x64

Sharing

General

Target

Remote Administration Tool.exe
Size

3.1MB
Sample

230804-2fs35afh9x
MD5

73dcb3b3b59192b45f1975fc7a8e9d08
SHA1

5fdaa30f92acc816c3b43db076f98c91391a3588
SHA256

d580d7cf10f4eb1cd8aa0cbf80c30f832a0f052c33cdc3d1cf3710e6b67528a8
SHA512

adce937291bf7c34e255d4b9785884552828cc07fc00b78842402e72e5addb31f61265c2aec593f5bdc1f041bdafd93758bfbc102c8ab25e4bbc7819c16aacc7
SSDEEP

49152:zv2I22SsaNYfdPBldt698dBcjHPby3EfsAk/WPPoGdfTHHB72eh2NT:zvb22SsaNYfdPBldt6+dBcjHPby2H

Score

10^/10

quasar infected persistence pyinstaller spyware stealer trojan

Static task

static1

infected quasar

3 signatures

Behavioral task

behavioral1

Sample

Remote Administration Tool.exe

Resource

win7-20230712-en

quasar infected spyware trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

Remote Administration Tool.exe

Resource

win10v2004-20230703-en

quasar infected persistence pyinstaller spyware stealer trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Infected

C2

AmirAmir8565-20409.portmap.host:20409

Mutex

ff410ede-beff-4970-8e12-7d251057f1fd

Attributes

encryption_key
1B172706DED462B59F2A5056AB06A8DD1EE8491B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek Audio
subdirectory
SubDir

Targets

- Target
  
  Remote Administration Tool.exe
- Size
  
  3.1MB
- MD5
  
  73dcb3b3b59192b45f1975fc7a8e9d08
- SHA1
  
  5fdaa30f92acc816c3b43db076f98c91391a3588
- SHA256
  
  d580d7cf10f4eb1cd8aa0cbf80c30f832a0f052c33cdc3d1cf3710e6b67528a8
- SHA512
  
  adce937291bf7c34e255d4b9785884552828cc07fc00b78842402e72e5addb31f61265c2aec593f5bdc1f041bdafd93758bfbc102c8ab25e4bbc7819c16aacc7
- SSDEEP
  
  49152:zv2I22SsaNYfdPBldt698dBcjHPby3EfsAk/WPPoGdfTHHB72eh2NT:zvb22SsaNYfdPBldt6+dBcjHPby2H
Score

10^/10

quasar infected spyware trojan persistence pyinstaller stealer
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

BITS Jobs

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Scheduled Task/Job

Defense Evasion

BITS Jobs

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarinfectedspywaretrojan

behavioral2

quasarinfectedpersistencepyinstallerspywarestealertrojan

© 2018-2024

Terms | Privacy