quasar | 850a2cee4c34bee8c6ee76162c2ead42a8f537e59d257e495b3f0d190c8fd606

General

Target

7a39783b4df44b14c0bc4a9ab62c2870
Size

18.9MB
Sample

231226-s9qqesehek
MD5

7a39783b4df44b14c0bc4a9ab62c2870
SHA1

1278ed63bad5d24546584f274527a7c314df8867
SHA256

850a2cee4c34bee8c6ee76162c2ead42a8f537e59d257e495b3f0d190c8fd606
SHA512

d20beda7af98aea8d27e7423aa1fcb979bd966996848be2cccf9041a6545882be2c241c83d93df318818d7495262020927e0d82abfffe6ef5495415fd9106ca2
SSDEEP

393216:rIJm/0ywuOkd8cKjti/2gRJl9Y06abayqgiJXfd9lYbhsk8:rIJVz483iugR39YMsgqXfzlYbm

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

BRAVE21

C2

pettbull.ddns.net:4782

Mutex

06538f38-9c19-4cdf-83c8-8fafb759e15a

Attributes

encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
install_name
Windows Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
System32

Targets

- Target
  
  7a39783b4df44b14c0bc4a9ab62c2870
- Size
  
  18.9MB
- MD5
  
  7a39783b4df44b14c0bc4a9ab62c2870
- SHA1
  
  1278ed63bad5d24546584f274527a7c314df8867
- SHA256
  
  850a2cee4c34bee8c6ee76162c2ead42a8f537e59d257e495b3f0d190c8fd606
- SHA512
  
  d20beda7af98aea8d27e7423aa1fcb979bd966996848be2cccf9041a6545882be2c241c83d93df318818d7495262020927e0d82abfffe6ef5495415fd9106ca2
- SSDEEP
  
  393216:rIJm/0ywuOkd8cKjti/2gRJl9Y06abayqgiJXfd9lYbhsk8:rIJVz483iugR39YMsgqXfzlYbm
Score

10^/10

discovery quasar brave21 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2