quasar | 5ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d | Triage

Submit
Reports

Overview

overview

Static

static

R0X-Built.exe

windows7-x64

R0X-Built.exe

windows10-2004-x64

Sharing

General

Target

R0X-Built.bat
Size

409KB
Sample

240504-fvjmcaea4s
MD5

baed4bf822391e30e4dbe2ae0ea3fcfe
SHA1

d978134771b65bace600644691b4d30c893920e8
SHA256

5ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d
SHA512

b428424cfe003421a7c0a5d21a06709e80ee35d8c0f0501be19d8250fad27c72fcd98b9290510de0dc1147915751383a2908f075592eb4f2b8258e090cf2c452
SSDEEP

6144:OMS2pJAJcC0B6ezDDORUjySfNr3FHg60x4gQRbcdVsmAklsGEUGka9mC:jpyJcC+VzDDORm1rUQyiklFEUGka9mC

Score

10^/10

quasar slave persistence spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

R0X-Built.exe

Resource

win7-20240221-en

quasar slave spyware trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

R0X-Built.exe

Resource

win10v2004-20240419-en

quasar slave persistence spyware trojan

windows10-2004-x64

32 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

centre-clan.gl.at.ply.gg:40354

Mutex

$Sxr-HfroCBO1JCip2IbHKX

Attributes

encryption_key
2mXe0Epj621bYEM4YYhW
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-mstha
subdirectory
Windows

Targets

- Target
  
  R0X-Built.bat
- Size
  
  409KB
- MD5
  
  baed4bf822391e30e4dbe2ae0ea3fcfe
- SHA1
  
  d978134771b65bace600644691b4d30c893920e8
- SHA256
  
  5ded8a15f37933b10dc5f2daea6c7ebbee3017da22d53f875acfa5882a318b6d
- SHA512
  
  b428424cfe003421a7c0a5d21a06709e80ee35d8c0f0501be19d8250fad27c72fcd98b9290510de0dc1147915751383a2908f075592eb4f2b8258e090cf2c452
- SSDEEP
  
  6144:OMS2pJAJcC0B6ezDDORUjySfNr3FHg60x4gQRbcdVsmAklsGEUGka9mC:jpyJcC+VzDDORm1rUQyiklFEUGka9mC
Score

10^/10

quasar slave spyware trojan persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavespywaretrojan

behavioral2

quasarslavepersistencespywaretrojan

© 2018-2024

Terms | Privacy