quasar | 091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a

Sharing

Copy URL

Twitter E-mail

General

Target

MMLo7.Rat.rar
Size

5.7MB
Sample

230822-maabhadb7v
MD5

4747547f047d47bd37bc0d1b65625694
SHA1

827e3f9ca857ed95ef8185c80e5fa85fdffa28e4
SHA256

091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a
SHA512

3336de360626d125c4777d626a0790c69faf209c642d99d085cd72f92b9e5ba93aca9f9c92d81cb1e3b2ee21f6ff12cf9c6fe6ecbe9554ad846fa1cd74874241
SSDEEP

98304:HtkSjvhd8cMOBhzp1svAJFF5N7nicdRaDzmLW/nJHksov7iUsPIUDjvEQnQLligi:HtBjJd8vazEQFPN7tAeaBLNUsPIUvMUL

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Extracted

Family

xworm

Attributes

install_file
USB.exe

Extracted

Family

quasar

Version

1.3.3.7

Botnet

Office04

127.0.0.1:305

Mutex

QSR_MUTEX_2Q0xuNOWuzstz1nIHm

Attributes

encryption_key
yXJmgz868tgJWmotirHr
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  MMLo7.Rat.rar
- Size
  
  5.7MB
- MD5
  
  4747547f047d47bd37bc0d1b65625694
- SHA1
  
  827e3f9ca857ed95ef8185c80e5fa85fdffa28e4
- SHA256
  
  091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a
- SHA512
  
  3336de360626d125c4777d626a0790c69faf209c642d99d085cd72f92b9e5ba93aca9f9c92d81cb1e3b2ee21f6ff12cf9c6fe6ecbe9554ad846fa1cd74874241
- SSDEEP
  
  98304:HtkSjvhd8cMOBhzp1svAJFF5N7nicdRaDzmLW/nJHksov7iUsPIUDjvEQnQLligi:HtBjJd8vazEQFPN7tAeaBLNUsPIUvMUL
Score

10^/10

quasar xworm office04 rat spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3
- Target
  
  MMLo7 Rat.exe
- Size
  
  2.8MB
- MD5
  
  2dc24c81438806bd03b492b9a3f3c55c
- SHA1
  
  1b62f6d53570d7cd3c8d04e6ea7e349b5de5cc89
- SHA256
  
  3edd74d68dd78681ed9eae3973ee2fb878c60e6e24dfa313ea2b4547008b1149
- SHA512
  
  f03ef03ffd926c35a6c88be065a8b6174af323a9fc633fc8d0c1ee55bf8b2eb5ef824d9c9feda21104dd10ff7f0d8d0660e9d4ba0cd8a932dd5d8e342f023ce1
- SSDEEP
  
  49152:cTtjEoXzJndn324ktdDyXqimfg9vdsIvQBLjEWdK/EEj8iG/MRmJ:stnXzJ12lDyXJMsvGs8Ljc7oRR
Score

10^/10

microsoft phishing xworm rat trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
behavioral4 behavioral5 behavioral6
- Target
  
  turingmachine.exe
- Size
  
  286KB
- MD5
  
  c81a9adf64819041ac1435fab28004e3
- SHA1
  
  a126d54caabbdd6456ac1ddd57a4ead629f4f287
- SHA256
  
  5a1c7a22a6fbe36701b53b49a134ad37ab6194030753824a1bef260862902ac8
- SHA512
  
  3ec5bc46bd46a06271905614adde9e60dd30d2315eb700d36852c6d2e1207a6218d007a7eb9ef2f0134eae53b1a04305be61e314e0ca426e132e8660e0bdcf58
- SSDEEP
  
  6144:lGz3mOwb5nxTfSUkAxzi1jZtV6GUvUwibiCcefPgMJjaTbMFfCNB53C:2YxrOKHibiCce3jaU6B53C
Score

10^/10

microsoft phishing quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
behavioral7 behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Quasar RAT

Quasar payload

Xworm

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Xworm

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Detected potential entity reuse from brand microsoft.

Quasar RAT

Quasar payload

Detected potential entity reuse from brand microsoft.

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9