quasar | ddea59e0fb05fcb26243ecca3be6f8e3bac329ef32b774a66420439d609c3e52

Sharing

Copy URL

Twitter E-mail

General

Target

Chaos_V4_2.zip
Size

38.3MB
Sample

240425-1g1nxsfd39
MD5

f2ef786513ee180b56297da3d31bfe36
SHA1

808b0613ee355d75dd9abec0b0e14986d0ec3b45
SHA256

ddea59e0fb05fcb26243ecca3be6f8e3bac329ef32b774a66420439d609c3e52
SHA512

10db8119b88db71803b701464ce2191c9f3c1ccd116dc2f20b033601bc557e8bdfca0c6fcce778766ddc556740db245b6beac6ee7e1c3d1d3aad618ab477e38c
SSDEEP

786432:t5q3DQ5ex3kcgKNRjtZhtZrnPUcGJ55ei3Eu:t5WQ5ilgKNR5ZhTbZGJ55ei3Eu

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.78:4782

Mutex

4616ad00-4709-44bd-a2b4-9a61d621574d

Attributes

encryption_key
DDE23047BCC4F649ACA444E89F2DBB5D52A3004D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Anti-Crash (Anti-Crash method by 13ooeo).exe
- Size
  
  6KB
- MD5
  
  9e3727584d3c3d3f8071728378228118
- SHA1
  
  c366d3017e3d71d49e5ad596be88ee7b9d183ae7
- SHA256
  
  9731907ed2aa2c4ecd242edf582177cd87fde744ab4391675cc0b3d5d2d5df1e
- SHA512
  
  7ae42a8aafcdb9df7a695da52557a4c132c68a97039701ab3516d6c7a4cd859a798b1ef4651879d8ada926841a4412a7e81ebec9b5009d585b4c990ae1527982
- SSDEEP
  
  96:TFD8b1fph/kCo+AmdxirN1yR6PKYcD1UseL4VPNolhLzNt:ifphMCodmTirn46PKEL4VPNOhN
Score

1^/10
behavioral1 behavioral2
- Target
  
  Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
- Size
  
  37.8MB
- MD5
  
  719fd2b752f99f9ad1da3e2f439ec717
- SHA1
  
  900a578b55324712b3fc2edc8b44c6f336932849
- SHA256
  
  a12504ad741383782b4e0ef4cc808903195484080f5770966aceb1d117b09697
- SHA512
  
  b1822f059810e50a072fcd871e81b2c5d83eaf343f7322384ad34013bed3f4d6a98ed6d37c1840dfc03a925eb334981911b86de534903a941346fcac3b820601
- SSDEEP
  
  786432:SulzfQX0ZlAime/FtbB9lNdnl8/A539IyPA:bQXknme/FhB9PtgA539IyPA
Score

10^/10

quasar office04 pyinstaller spyware trojan upx persistence stealer
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  Chaos_V3_2/Chaos_V3 (2)/Chaos V3/fpsunlocker.exe
- Size
  
  666KB
- MD5
  
  f0c71376e55ba3c65942e90348169921
- SHA1
  
  239085aa264e9eb743dde706231169820c32e03c
- SHA256
  
  94f4140b6e7c3e73364205829da26479dad5257752c009dca4dec4a6ce9f9637
- SHA512
  
  4ce20f764aac880362fbf9f9ade18c89e19eaa697e73cb08ce37b2eb25b3b655ec569de180c33ded00ca42147dd2c84d21b837224b318d56f258a6e881b6057f
- SSDEEP
  
  12288:4KOjJsDc2+WC+D+4H/xeGofENaTSuGCC709:4KyacgDD+4fwG1NaTSw
Score

1^/10
behavioral5 behavioral6
- Target
  
  Chaos_V3_2/Chaos_V3 (2)/Chaos V3/pssuspend.exe
- Size
  
  383KB
- MD5
  
  1b9f1a75593dfc670fa7c54659ab5796
- SHA1
  
  c9f0c40e012f8cfe20b1e5cd6a9a7b078e89a00b
- SHA256
  
  95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
- SHA512
  
  ab7b26ce5487af2a337cabfa16908ddf72bf1f6942675760e7decee874dd0f72fd47aa42bc442fe11f71fab03106c75db0234199974c7de84d1ed3f12a9b4788
- SSDEEP
  
  6144:V/M1xPjrG1x+YgoglDni32wAO5GeLCfCsip9631L5qMbYd:W3PG1x+1+pBLCfCjGNqGY
Score

1^/10
behavioral7 behavioral8