quasar | 653cbbfc7a0733f10923772348b001a25f8c6ddb76c5de60dc8652d8b267d985 | Triage

Submit
Reports

Overview

overview

Static

static

kadsfknads.exe

windows10-1703-x64

kadsfknads.exe

windows10-2004-x64

kadsfknads.exe

windows11-21h2-x64

Sharing

General

Target

kadsfknads.exe
Size

409KB
Sample

240424-vta15sdg4z
MD5

f78f2794728287425cac9fb2df79d06f
SHA1

3aedd26e40f9b97b76d2ac6ead991af37dcc61eb
SHA256

653cbbfc7a0733f10923772348b001a25f8c6ddb76c5de60dc8652d8b267d985
SHA512

12c2897886ee4052daf27199bb61d98b11a100c42d47fcd00694feaf1aff181f76ad9cab381236548f765da6d43f821ddfaff06adc3e82a8b92407cdcaef0c1f
SSDEEP

6144:prBdcuIns7ixFO/MlAGq0l9RkRSl/HVvKIIUb8rfVou49SDZQC8lU:Cs7ixmMlAGHlH/H1KIIRCSDZQ9U

Score

10^/10

quasar office04 spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

kadsfknads.exe

Resource

win10-20240404-en

quasar office04 spyware trojan

windows10-1703-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

kadsfknads.exe

Resource

win10v2004-20240412-en

quasar office04 spyware trojan

windows10-2004-x64

12 signatures

150 seconds

Behavioral task

behavioral3

Sample

kadsfknads.exe

Resource

win11-20240412-en

quasar office04 spyware trojan

windows11-21h2-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

C2

147.185.221.19:33587

Mutex

$Sxr-Y5UVaD4ms682Xx0mKC

Attributes

encryption_key
cNsPUetVqJ8ENI534piu
install_name
DLLBOOSTRAPPER.exe
log_directory
Upd Error Logs
reconnect_delay
3000
startup_key
Windows 2H22 x64 2022
subdirectory
DllHoster

Targets

- Target
  
  kadsfknads.exe
- Size
  
  409KB
- MD5
  
  f78f2794728287425cac9fb2df79d06f
- SHA1
  
  3aedd26e40f9b97b76d2ac6ead991af37dcc61eb
- SHA256
  
  653cbbfc7a0733f10923772348b001a25f8c6ddb76c5de60dc8652d8b267d985
- SHA512
  
  12c2897886ee4052daf27199bb61d98b11a100c42d47fcd00694feaf1aff181f76ad9cab381236548f765da6d43f821ddfaff06adc3e82a8b92407cdcaef0c1f
- SSDEEP
  
  6144:prBdcuIns7ixFO/MlAGq0l9RkRSl/HVvKIIUb8rfVou49SDZQC8lU:Cs7ixmMlAGHlH/H1KIIRCSDZQ9U
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04spywaretrojan

behavioral2

quasaroffice04spywaretrojan

behavioral3

quasaroffice04spywaretrojan

© 2018-2024

Terms | Privacy