quasar | 40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3 | Triage

Submit
Reports

Overview

overview

Static

static

3

XWormLoade...64.exe

windows10-1703-x64

XWormLoade...64.exe

windows10-2004-x64

XWormLoade...64.exe

windows11-21h2-x64

Sharing

General

Target

XWormLoader 5.2 x64.exe
Size

329KB
Sample

240503-wdcepsfa43
MD5

893ee266eef0ca3b11bdb859839df69d
SHA1

1d2eeab0c7ae7e9ec180017d8092f23abbea6d2b
SHA256

40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3
SHA512

694843c573f2aeec876eaa0ef329268553cde23cc4fdced9371041c3df097eec00b44894423ee00a7c9a1444f0bb17a089cb48c5430dfdaafa1265e5cd1b85f5
SSDEEP

6144:HfPtIkJwV7LtIgxfUFdLdassJFxgXS+vK5Qav9qm:HflXJwFmmUFdLs9H51

Score

10^/10

quasar slave persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

XWormLoader 5.2 x64.exe

Resource

win10-20240404-en

quasar slave spyware trojan

windows10-1703-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

XWormLoader 5.2 x64.exe

Resource

win10v2004-20240419-en

quasar slave persistence spyware trojan

windows10-2004-x64

26 signatures

150 seconds

Behavioral task

behavioral3

Sample

XWormLoader 5.2 x64.exe

Resource

win11-20240426-en

quasar slave spyware trojan

windows11-21h2-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
AqYe7s30CMq7SVM0oxKR
install_name
Discord.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Discord
subdirectory
Discord

Targets

- Target
  
  XWormLoader 5.2 x64.exe
- Size
  
  329KB
- MD5
  
  893ee266eef0ca3b11bdb859839df69d
- SHA1
  
  1d2eeab0c7ae7e9ec180017d8092f23abbea6d2b
- SHA256
  
  40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3
- SHA512
  
  694843c573f2aeec876eaa0ef329268553cde23cc4fdced9371041c3df097eec00b44894423ee00a7c9a1444f0bb17a089cb48c5430dfdaafa1265e5cd1b85f5
- SSDEEP
  
  6144:HfPtIkJwV7LtIgxfUFdLdassJFxgXS+vK5Qav9qm:HflXJwFmmUFdLs9H51
Score

10^/10

quasar slave spyware trojan persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavespywaretrojan

behavioral2

quasarslavepersistencespywaretrojan

behavioral3

quasarslavespywaretrojan

© 2018-2024

Terms | Privacy