quasar | e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe | Triage

Submit
Reports

Overview

overview

Static

static

Unify.exe

windows7-x64

Unify.exe

windows10-2004-x64

Sharing

General

Target

Unify.exe
Size

409KB
Sample

240502-a7h9fseb95
MD5

54db32b9d5cab2c1dea1907cf4712b1d
SHA1

812f28828735a92effd2187e155d9ed3f0e915b3
SHA256

e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe
SHA512

6a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163
SSDEEP

6144:0MP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:fpiREGJ2ji9QyAhK/N6gBqJBj7yMTj

Score

10^/10

quasar slave persistence spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Unify.exe

Resource

win7-20240221-en

quasar slave spyware trojan

windows7-x64

8 signatures

1200 seconds

Behavioral task

behavioral2

Sample

Unify.exe

Resource

win10v2004-20240419-en

quasar slave persistence spyware trojan

windows10-2004-x64

23 signatures

1200 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

192.168.1.20:4782

localhost:4782

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
hwZQsCIcvotNKosjYueb
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-mstha
subdirectory
Windows

Targets

- Target
  
  Unify.exe
- Size
  
  409KB
- MD5
  
  54db32b9d5cab2c1dea1907cf4712b1d
- SHA1
  
  812f28828735a92effd2187e155d9ed3f0e915b3
- SHA256
  
  e7d8e1b13c833d49fcc46a03d34ff18b7c93bd86bd0764828fa68d3d9eed2bbe
- SHA512
  
  6a13febe964f3f639e7d017f58c2f6631c18bea5a1ac716efa49a1c5306ecd2708cf92f133a9fcd8dc22850e661522a98f23c0fb7cb09752bb96a6d50bb69163
- SSDEEP
  
  6144:0MP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:fpiREGJ2ji9QyAhK/N6gBqJBj7yMTj
Score

10^/10

quasar slave spyware trojan persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavespywaretrojan

behavioral2

quasarslavepersistencespywaretrojan

© 2018-2024

Terms | Privacy