darktrack

Sharing

Copy URL

Twitter E-mail

General

Target

Quasar_Gold.zip
Size

7.4MB
Sample

240418-h3j9ysfg8s
MD5

d9bc746648602aa2f4a71a1bed9749c1
SHA1

d427e3744bc5149402c9fb8acf08c91c672bad1c
SHA256

3682f63442374a284f1b5f996da477f3cf024ffd5fa5f2bf064ef80136b81a04
SHA512

37df0b2339184a1d348d60d7c6028552914c23dbe8259b160d202cd12fa985a9ec28b39d83f8b3b24bd14838a9b49a3b11d798505815f919e87d189af4017205
SSDEEP

196608:UGTzFapiJe7xLKDwbjFCxUaJ0j1Cn4HN25gmgPyG4j5Cq44N7LhjvuFEU:Uy5juKDWCxR0G4HkQPQCaHhjvuyU

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Targets

- Target
  
  Quasar_Gold/Include/NCC2.dll
- Size
  
  13KB
- MD5
  
  12e7983a050a5f7f7b501d3cda914248
- SHA1
  
  6ce5d9b763fc05dcdfcaea79a62a8352371d749c
- SHA256
  
  a0b6bb521e52a99abf5ac1017302da014d37296619078d42d9edf5d86d137f63
- SHA512
  
  0b8788c858c35e0f8f56d552518adb71c847240f6d7c199243e046c4c2e2ae32cb035a0bc5098631656c5d7d772be4fdfdc6a4e19e00092fb3eb09044998be97
- SSDEEP
  
  192:jKsAWXvf+AxcTC6xFrnT5xoqMSqzqqJocD/HCtVWAc3XTEqx2CvAPhz:9Z/f+XT/xBwqMSqeqqcmUDhKhz
Score

1^/10
behavioral1 behavioral2
- Target
  
  Quasar_Gold/Include/NCC3.dll
- Size
  
  72KB
- MD5
  
  aa84f91edd922e7b3bb979e663c94f1a
- SHA1
  
  da46b9962a6c6cceef38c3e11b8b5bc9c1b536fa
- SHA256
  
  38274608d5a4b53ec22f8099f798ba46ce0ed41db65a33dfb3853f0dbf849f6f
- SHA512
  
  88392fc77a0300ece306908867be38011530d9eefdf003452ba86d82f2fa4a61c2b27a199f376ac307c095beaa4f52cefcab59c8b28fa187c0bca13f55f2d98b
- SSDEEP
  
  1536:a44UF/3qab79HtYDAD5MPEBq9iNv6qfSOBHfVW:a44G3fRMPiuuv6qqOBHfVW
Score

3^/10
behavioral3 behavioral4
- Target
  
  Quasar_Gold/Include/NCCheck.dll
- Size
  
  162KB
- MD5
  
  569052631a6b80c1c6a336c10c978b02
- SHA1
  
  4bc411b19536c90a6ea0917d7d93f3f6560ee6f0
- SHA256
  
  c41cd461470ff3c936e225cea37e5190cb06e3cd70a3d76ca8e5d3aceead5493
- SHA512
  
  d0e251973a0c6b3fecaa41d9042c7001e4e9e20484fe2ed9ed1ce04a416952054cb010bff6643c0fa093ac60bbe079c11ba0d6f9699224a3db7a56fdbc4f7f69
- SSDEEP
  
  3072:iW3Hj+g/SFOANotkow8WZT75Izm04x7RP+iH3D1VIkB5XFu9H:v36gp5tk5Nx1P+iH3D1VIk6
Score

1^/10
behavioral5 behavioral6
- Target
  
  Quasar_Gold/Include/VS08ReactorAddin.dll
- Size
  
  133KB
- MD5
  
  b4c1e8023be1bd3af8425885ed5d02ce
- SHA1
  
  0d6e7eb3f8a6a442d7f7c030ddb0bdc5d907deed
- SHA256
  
  1952313f3a5c3b4e7a1269238dc070301c356bfb876471332d6439b6d3eefd12
- SHA512
  
  be0dec723b045afba3799435329b4c6dfa19997a4ba23725236f449990392f8531574eef1bf786bcf36777e7b72314d7210ed9e5508b114ae9a4112613436401
- SSDEEP
  
  1536:J1Ep+y0dr95DbEX1sJOSJCZQweMdYU+ZQweMdYU9:HS+y01fbEX+JOk
Score

1^/10
behavioral7 behavioral8
- Target
  
  Quasar_Gold/Include/VS13ReactorAddin.dll
- Size
  
  134KB
- MD5
  
  11ca1dfec3eaef207f6393d307cd5815
- SHA1
  
  c3e8d5267c6c295a0124dd396026ab07bf28ab09
- SHA256
  
  5e0efbda4f047575e7b7cd0ef047bddc7b05d5225f4a98a7d1ac93e28471e742
- SHA512
  
  bcac4268e3baf11ae8b8a87d6227f36b3c998040ef5301da5fd24e273d04827a74a5e027feb11decfddacfed2bbd2f86889fde63acf4e5c5c8adbc0e1b7ec935
- SSDEEP
  
  1536:xNfSLgOxb0fEonTpODxuHfr97OCzF1KRsNVpbdTRkr1sJOSJ4ZQweMdYUsZQweMc:xtScE8TIDefr97jFARsfpbd14+JOL
Score

1^/10
behavioral10 behavioral9
- Target
  
  Quasar_Gold/Include/VSReactorAddin.dll
- Size
  
  97KB
- MD5
  
  afc9814513e9cfb6a7905f1e6186e195
- SHA1
  
  641c75d7f0891fe5a4007b57cff863ee667a6d29
- SHA256
  
  a2629e2c3bf06260116bd88b07a8ee4fc8846367c9d8de53608ad5b4aadeb9db
- SHA512
  
  34ec4738c20b16fb22f600b0be84647a127d7c134365d53e78b8b3fcc5b38a4a91390503fd4d445b439831fe0fbd4a5bfa70216dc53c8df5daaa2b9f084a5f50
- SSDEEP
  
  1536:mnQAvDNONuHEEJTRkfLCbZGCZQweMdYUA1sJOSJE:lAvJKukYdkObZGt+JOt
Score

1^/10
behavioral11 behavioral12
- Target
  
  Quasar_Gold/Include/dotNET_Reactor.Console.exe
- Size
  
  14KB
- MD5
  
  0b4dbf61a98f3e34cdd3a1b08a6a4609
- SHA1
  
  73587f1f5d040541b230513d22d696513dbd4cf9
- SHA256
  
  e817802f166662a7df0b144571354d74b10e34d120f91ae9d84ca3ba925241c6
- SHA512
  
  7cca370890e4e245c84507623531b5f54b76ced3e8c6b87cdfc47ed16560b6a0a5cf9e0556075cd0d9266908e445b854114edd69d50870839624589676c0e688
- SSDEEP
  
  192:8jY53csvsqHwrHEdSAejbMfDn1Gp78dsKGXOdlWW1ksTkwy:8jEnskskQlm1GRJKGXOdlWW1XTR
Score

10^/10

zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Loads dropped DLL
behavioral13 behavioral14
- Target
  
  Quasar_Gold/Include/dotNET_Reactor.exe
- Size
  
  5.8MB
- MD5
  
  7429e30caa2a8b41d926ffef1a05b347
- SHA1
  
  32abbd56225cd7379bb1cca8f6749d43916efe2b
- SHA256
  
  1efc5368bcd9704d7df85e2e143936d6ee4509ac31a7ca6d3eb4cf3b18c5ef27
- SHA512
  
  55243a97d9a7fcd43d531bb61615e734c8bfea242f6e28d67ce09cee586d032d83709a3b8c4ecf9b567252a53d1dad1853aca669316aa2ae62422386156b77c1
- SSDEEP
  
  49152:VoMLez0fgPdLl8HC5IaKSihCwc0YMOBf7BfKjGO+XYSaqNuT1i:Vy0fgPVwy70GUO
Score

10^/10

zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Loads dropped DLL
behavioral15 behavioral16
- Target
  
  Quasar_Gold/Include/mpress.exe
- Size
  
  101KB
- MD5
  
  8b632bfc3fe653a510cba277c2d699d1
- SHA1
  
  d6a57aa17e5eb51297def9bac04e574c1e36d9c7
- SHA256
  
  2852680c94a9d68cdab285012d9328a1ceca290db60c9e35155c2bb3e46a41b4
- SHA512
  
  b9ea70ed984d3b4a42eceb9f34f222b722c4c1985b79b368d769fe0fd1f19f037ffebe2cf938aa98ed450337836a7469d911848448d99223995f7fb3a9304587
- SSDEEP
  
  3072:S0+mlNniJkkKcfqBOb65VgB183gUGQ340HpL:SvmlNn4kkeOAVA1rUGh0Hp
Score

1^/10
behavioral17 behavioral18
- Target
  
  Quasar_Gold/Mono.Cecil.dll
- Size
  
  277KB
- MD5
  
  8df4d6b5dc1629fcefcdc20210a88eac
- SHA1
  
  16c661757ad90eb84228aa3487db11a2eac6fe64
- SHA256
  
  3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
- SHA512
  
  874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
- SSDEEP
  
  6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA
Score

1^/10
behavioral19 behavioral20
- Target
  
  Quasar_Gold/Mono.Nat.dll
- Size
  
  40KB
- MD5
  
  bf929442b12d4b5f9906b29834bf7db1
- SHA1
  
  810a2b3c8e548d1df931538bc304cc1405f7a32b
- SHA256
  
  b33435ac7cdefcf7c2adf96738c762a95414eb7a4967ef6b88dcda14d58bfee0
- SHA512
  
  9fcfaf48bfe5455a466e666bafa59a7348a736368daa892333cefa0cac22bcef3255f9cee24a70ed96011b73abea8e5d3dbf24876cffa81e0b532df41dd81828
- SSDEEP
  
  768:yoVesKx0V2LpibQJxoKUDHj560aSX3zlJAO:lVespQibC+H56k3fF
Score

1^/10
behavioral21 behavioral22
- Target
  
  Quasar_Gold/QuasarRAT.exe
- Size
  
  11.9MB
- MD5
  
  44b8fdbeac92e1b2e88085e33a296ac7
- SHA1
  
  120aff91f77e433a303288da47fcd8ccd9a62351
- SHA256
  
  a60c958fa5dda06d5b7e2002308d2398f3904d57488666ebc79932a041d40202
- SHA512
  
  293cb19c7ddc51092d5077dce39cc38426ca949006d160fc0b414b252c6fbeb01caffddebb7c8d1a4ab2284c3d8c020cbdeb121dedda4882f53d33a8c8b18778
- SSDEEP
  
  98304:/ZhqMpBUxERZSu66QVWqkLkUSYPVQarBN:/Z0MpB5/BDlF
Score

10^/10

darktrack persistence rat stealer
- DarkTrack
  DarkTrack is a remote administration tool written in delphi.
  rat stealer darktrack
- DarkTrack payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  Quasar_Gold/Vestris.ResourceLib.dll
- Size
  
  76KB
- MD5
  
  64e9cb25aeefeeba3bb579fb1a5559bc
- SHA1
  
  e719f80fcbd952609475f3d4a42aa578b2034624
- SHA256
  
  34cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
- SHA512
  
  b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
- SSDEEP
  
  1536:5Z0R489PUoltCY19T7Uf5DYoRvtkA2MNmjYgGKeK9jXGYWs:L0R489PUeCy7Uf5pVCMwjVG/K9jp
Score

1^/10
behavioral25 behavioral26
- Target
  
  Quasar_Gold/client.bin
- Size
  
  278KB
- MD5
  
  19a3ab679df06aaff3d972cd014ca769
- SHA1
  
  fec74fcf958bd3effa02ae046308961f6a79cc54
- SHA256
  
  3ae294870c3f566d1fa8d05c04930b6a60569d23c4341dd1033f41530a3e8e6d
- SHA512
  
  41206553caab7a86e3ecc0e38a75ead6a74a5be358c53ee3a4902a367999409de8d381460ed3a20b9469c44667d1778bf7bd6fed728fc404c6c7e24afb5f589b
- SSDEEP
  
  3072:Ha0HvWfZu5YLCQ0eiGXkvg3TRP4QpaFtdwlj/jDLfXeLepb0t7mAq/37ua/C6Pee:9pQRiGXkIjRPZpYfwlTTXeypb0tqAaT
Score

10^/10

quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
behavioral27 behavioral28

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect ZGRat V1

ZGRat

Loads dropped DLL

Detect ZGRat V1

ZGRat

Loads dropped DLL

DarkTrack payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Quasar RAT

Quasar payload

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28