quasar | b015b400bb4697f7380a3282cf945a3d16a31a8f75668afdf0acd5b70adf2d02 | Triage

Submit
Reports

Overview

overview

Static

static

3

FireFlies.exe

windows11-21h2-x64

Sharing

General

Target

FireFlies.exe
Size

748KB
Sample

240118-v7jv7sehe3
MD5

860fcfb2215baf853a832034e9453a7d
SHA1

ae2fed6c23d1c9f409ca7e2e47e154582519f04c
SHA256

b015b400bb4697f7380a3282cf945a3d16a31a8f75668afdf0acd5b70adf2d02
SHA512

688aab0781c51e2e18b64e870ec3e70cbfd1353934ede3bd8d8ce66183c621a40129496dae0363350e74db291c252749806a98c18b705dcfd4f5edf3c5a98a57
SSDEEP

12288:nZ5XIZvKtjSlpzQ6cxBD0eDr3rPq5XIZvKtjSlpzQ6cxBD0eDr3rPIFRVR/:nf6vMxBDBDvPY6vMxBDBDvPq

Score

10^/10

quasar umbral office04 spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

FireFlies.exe

Resource

win11-20231215-en

quasar umbral office04 spyware stealer trojan

windows11-21h2-x64

21 signatures

300 seconds

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1160310307609120789/rXDfzEAlPL0Bu1LrYprFmlBAs5RPl58Ukf1e6xALA7EaX_-5EMRHl_7QEahpvikDoDLR

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

91.168.76.126:32770

91.168.76.126:32771

Mutex

a7690a4d-0e0e-481d-b949-23c715844aa7

Attributes

encryption_key
3B3DD6831EEF1072B2B0C196C0726EEBAA9960B2
install_name
Fireflies.exe
log_directory
Logz
reconnect_delay
3000
startup_key
Update
subdirectory
FireFliesTeam

Targets

- Target
  
  FireFlies.exe
- Size
  
  748KB
- MD5
  
  860fcfb2215baf853a832034e9453a7d
- SHA1
  
  ae2fed6c23d1c9f409ca7e2e47e154582519f04c
- SHA256
  
  b015b400bb4697f7380a3282cf945a3d16a31a8f75668afdf0acd5b70adf2d02
- SHA512
  
  688aab0781c51e2e18b64e870ec3e70cbfd1353934ede3bd8d8ce66183c621a40129496dae0363350e74db291c252749806a98c18b705dcfd4f5edf3c5a98a57
- SSDEEP
  
  12288:nZ5XIZvKtjSlpzQ6cxBD0eDr3rPq5XIZvKtjSlpzQ6cxBD0eDr3rPIFRVR/:nf6vMxBDBDvPY6vMxBDBDvPq
Score

10^/10

quasar umbral office04 spyware stealer trojan
- Detect Umbral payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarumbraloffice04spywarestealertrojan

© 2018-2025

Terms | Privacy