quasar | dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5 | Triage

Submit
Reports

Overview

overview

Static

static

ArgonOSINT.exe

windows10-1703-x64

ArgonOSINT.exe

windows11-21h2-x64

Resubmissions

04-05-2024 05:10

240504-ft619aea3y 10

04-05-2024 05:06

240504-frlbrsdh81 10

Sharing

General

Target

ArgonOSINT.exe
Size

409KB
Sample

240504-frlbrsdh81
MD5

c4f70954d48c8653fde31fc63c619fc8
SHA1

c2fe0bc4eab66f6cbf19ab3a80817eba8084982e
SHA256

dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5
SHA512

1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc
SSDEEP

12288:UpyJcC+x6AoV5l+6KprKF/UV6u4W0pDs:kwd+mDsV6u4g

Score

10^/10

quasar slave spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

ArgonOSINT.exe

Resource

win10-20240404-en

quasar slave spyware trojan

windows10-1703-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

ArgonOSINT.exe

Resource

win11-20240419-en

quasar slave spyware trojan

windows11-21h2-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
BfQu2aop09VkjugTkmuc
install_name
$sxr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$sxr-powershell
subdirectory
Windows

Targets

- Target
  
  ArgonOSINT.exe
- Size
  
  409KB
- MD5
  
  c4f70954d48c8653fde31fc63c619fc8
- SHA1
  
  c2fe0bc4eab66f6cbf19ab3a80817eba8084982e
- SHA256
  
  dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5
- SHA512
  
  1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc
- SSDEEP
  
  12288:UpyJcC+x6AoV5l+6KprKF/UV6u4W0pDs:kwd+mDsV6u4g
Score

10^/10

quasar slave spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavespywaretrojan

behavioral2

quasarslavespywaretrojan

© 2018-2024

Terms | Privacy