quasar | 0847a32772909b1685150473294dccd837d8ab3bf8d3a42fc75e8402c8fa9237 | Triage

Submit
Reports

Overview

overview

Static

static

71de7ec63d...3d.exe

windows7-x64

71de7ec63d...3d.exe

windows10-2004-x64

Sharing

General

Target

71de7ec63dbc36eac4435afcd17ee03d.exe
Size

3.3MB
Sample

240320-mvh45sfe81
MD5

71de7ec63dbc36eac4435afcd17ee03d
SHA1

9c468f6dfae8fd63889e403a67aabc3257bd9e09
SHA256

0847a32772909b1685150473294dccd837d8ab3bf8d3a42fc75e8402c8fa9237
SHA512

5a7dccfe897b1940c9d2186bfc13508e4f8a55f15e6d8395f177f9e15ad97ad5c328d179a0d3113271e544d88e1bd74bb54d91bc3f8a8bcb6bd5b0ef142df8fd
SSDEEP

49152:LzbEXehF9XONWogPCy3RUn9NgLOb0THHB72eh2NTQAJ6:L8OLJVogPCy3an9OpAJ6

Score

10^/10

quasar service host: windows event log spyware trojan

Static task

static1

service host: windows event log quasar

3 signatures

Behavioral task

behavioral1

Sample

71de7ec63dbc36eac4435afcd17ee03d.exe

Resource

win7-20240221-en

quasar service host: windows event log spyware trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

71de7ec63dbc36eac4435afcd17ee03d.exe

Resource

win10v2004-20240226-en

quasar service host: windows event log spyware trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.3

Botnet

Service Host: Windows Event Log

C2

apple-coupled.gl.at.ply.gg:36473

147.185.221.18:36473

Mutex

44b6c65a-d844-4fa9-9d68-a7df5ab8b127

Attributes

encryption_key
8B7FB23965F229B24068B848FCD6536A6961D4FE
install_name
ServiceHostWindowsEventLog.exe
log_directory
runtime
reconnect_delay
5000
startup_key
Service Host
subdirectory
hdll

Targets

- Target
  
  71de7ec63dbc36eac4435afcd17ee03d.exe
- Size
  
  3.3MB
- MD5
  
  71de7ec63dbc36eac4435afcd17ee03d
- SHA1
  
  9c468f6dfae8fd63889e403a67aabc3257bd9e09
- SHA256
  
  0847a32772909b1685150473294dccd837d8ab3bf8d3a42fc75e8402c8fa9237
- SHA512
  
  5a7dccfe897b1940c9d2186bfc13508e4f8a55f15e6d8395f177f9e15ad97ad5c328d179a0d3113271e544d88e1bd74bb54d91bc3f8a8bcb6bd5b0ef142df8fd
- SSDEEP
  
  49152:LzbEXehF9XONWogPCy3RUn9NgLOb0THHB72eh2NTQAJ6:L8OLJVogPCy3an9OpAJ6
Score

10^/10

quasar service host: windows event log spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

service host: windows event logquasar

behavioral1

quasarservice host: windows event logspywaretrojan

behavioral2

quasarservice host: windows event logspywaretrojan

© 2018-2024

Terms | Privacy