quasar | c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436 | Triage

Submit
Reports

Overview

overview

Static

static

R0X-Built.exe

windows10-2004-x64

Sharing

General

Target

R0X-Built.exe
Size

409KB
Sample

240501-vtbyfabh9y
MD5

2812f62b21fe2118e1259169e015b054
SHA1

e96a2077f063b0c5fc9708f9c1e89283999e4211
SHA256

c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436
SHA512

bf5e18186402fcfd5dcd79bbbbe382ff9754e69098b6477dcef8cb3d69d71d67857fe6caf2362ed14aaf79412afb396a0f829a44335b31b7497ce0f690bb2aa2
SSDEEP

6144:cMP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:XpiREGJ2ji9QyAhK/N6gBqJBj7yMTj

Score

10^/10

quasar slave spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

R0X-Built.exe

Resource

win10v2004-20240426-en

quasar slave spyware trojan

windows10-2004-x64

15 signatures

1200 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

192.168.1.20:4782

localhost:4782

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
hwZQsCIcvotNKosjYueb
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-mstha
subdirectory
Windows

Targets

- Target
  
  R0X-Built.exe
- Size
  
  409KB
- MD5
  
  2812f62b21fe2118e1259169e015b054
- SHA1
  
  e96a2077f063b0c5fc9708f9c1e89283999e4211
- SHA256
  
  c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436
- SHA512
  
  bf5e18186402fcfd5dcd79bbbbe382ff9754e69098b6477dcef8cb3d69d71d67857fe6caf2362ed14aaf79412afb396a0f829a44335b31b7497ce0f690bb2aa2
- SSDEEP
  
  6144:cMP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:XpiREGJ2ji9QyAhK/N6gBqJBj7yMTj
Score

10^/10

quasar slave spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavespywaretrojan

© 2018-2024

Terms | Privacy