quasar | 5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23

General

Target

2bda8d6ee0e3ba6dbd8093272ca3b524
Size

1.5MB
Sample

231231-hbzwbsaaa6
MD5

2bda8d6ee0e3ba6dbd8093272ca3b524
SHA1

0d6243b098aff07091fc2caa8ca78ba6c5d285d3
SHA256

5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23
SHA512

8ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744
SSDEEP

24576:KeV7YeExhf9aTXEuw+Plps89RjcyFShWVwjsgli:1KhwTzPlpjncDWG

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

NexionHackTOOLS

C2

lafeuilleocb.duckdns.org:1604

Mutex

SoOlYmLEeaTU8o2xXj

Attributes

encryption_key
EO5tiig6EEUjYq6qUEGc
install_name
NexiionHaclTOOLS.exe
log_directory
Logs
reconnect_delay
3000
startup_key
clses

Targets

- Target
  
  2bda8d6ee0e3ba6dbd8093272ca3b524
- Size
  
  1.5MB
- MD5
  
  2bda8d6ee0e3ba6dbd8093272ca3b524
- SHA1
  
  0d6243b098aff07091fc2caa8ca78ba6c5d285d3
- SHA256
  
  5889d4b8dd5501b5bb0c31e99fbfba2f35cfcc44acee80f271404ba6e1046c23
- SHA512
  
  8ce12e23a3dbb4a185a520a659e0095df4c4157b1d1b0b8eb783bbbe417c19c53ceeaf78fee4882e9a204b91b073e1731dfae50212ab379c0df303e0d56c6744
- SSDEEP
  
  24576:KeV7YeExhf9aTXEuw+Plps89RjcyFShWVwjsgli:1KhwTzPlpjncDWG
Score

10^/10

quasar nexionhacktools agilenet spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2