quasar | 347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184 | Triage

Submit
Reports

Overview

overview

Static

static

Update.exe

windows10-1703-x64

Update.exe

windows11-21h2-x64

Sharing

General

Target

Update.exe
Size

409KB
Sample

240421-vfqvfafh6v
MD5

ed68b64af85a06a4d3edfb0eedbd5a00
SHA1

668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
SHA256

347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
SHA512

7555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
SSDEEP

6144:nrBdTMOznI2U/rgSuXfh+8sopVpkG9YiLLLKItKbFrJCBzzFd3MI:oynI2UeXfh+X+5YiPLKItwyRd3MI

Score

10^/10

quasar slave persistence spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Update.exe

Resource

win10-20240404-en

quasar slave persistence spyware trojan

windows10-1703-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Update.exe

Resource

win11-20240412-en

quasar slave spyware trojan

windows11-21h2-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

147.185.221.19:33587

Mutex

$Sxr-GdUyI5k46zQj7thBLl

Attributes

encryption_key
y0X14czHxU2CjCZoALAD
install_name
BiosUpdX64.exe
log_directory
$sxr
reconnect_delay
3000
startup_key
$sxr-metsha
subdirectory
Windows

Targets

- Target
  
  Update.exe
- Size
  
  409KB
- MD5
  
  ed68b64af85a06a4d3edfb0eedbd5a00
- SHA1
  
  668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
- SHA256
  
  347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
- SHA512
  
  7555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
- SSDEEP
  
  6144:nrBdTMOznI2U/rgSuXfh+8sopVpkG9YiLLLKItKbFrJCBzzFd3MI:oynI2UeXfh+X+5YiPLKItwyRd3MI
Score

10^/10

quasar slave persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavepersistencespywaretrojan

behavioral2

quasarslavespywaretrojan

© 2018-2024

Terms | Privacy