quasar | 8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d | Triage

Submit
Reports

Overview

overview

Static

static

1

Uni.bat

windows7-x64

Uni.bat

windows10-1703-x64

Uni.bat

windows10-2004-x64

Uni.bat

windows11-21h2-x64

Sharing

General

Target

Uni.bat
Size

670KB
Sample

240508-vtaelshb45
MD5

6a80458e28d1386f08bbd333e223ec19
SHA1

77ab8b6fa59cc618bf4a5e7f52ffcd8f5c9656a8
SHA256

8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d
SHA512

e6db2882538d6b563aaeb8df1831ea8c90dd37242fe686e9ab0b80f9c397bdfdf3596b28b036ac9308c456257e7a3cc607657c4e98853647e85d23f8b1588d81
SSDEEP

12288:3X+4dH3qy2pEKjy2YkbOtscQeH8XDYTDL832UtYnUg3:H+4dH3enjy2ZbOzTceUq

Score

10^/10

quasar slave spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Uni.bat

Resource

win7-20240508-en

quasar slave spyware trojan

windows7-x64

10 signatures

1800 seconds

Behavioral task

behavioral2

Sample

Uni.bat

Resource

win10-20240404-en

quasar slave spyware trojan

windows10-1703-x64

16 signatures

1800 seconds

Behavioral task

behavioral3

Sample

Uni.bat

Resource

win10v2004-20240508-en

quasar slave spyware trojan

windows10-2004-x64

17 signatures

1800 seconds

Behavioral task

behavioral4

Sample

Uni.bat

Resource

win11-20240419-en

quasar slave spyware trojan

windows11-21h2-x64

20 signatures

1800 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-dOMA5C0pQTTpKjVsCp

Attributes

encryption_key
UBXs44u6E81wxBGZxQHk
install_name
$sxr-powershell.exe
log_directory
$SXR-KEYLOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  Uni.bat
- Size
  
  670KB
- MD5
  
  6a80458e28d1386f08bbd333e223ec19
- SHA1
  
  77ab8b6fa59cc618bf4a5e7f52ffcd8f5c9656a8
- SHA256
  
  8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d
- SHA512
  
  e6db2882538d6b563aaeb8df1831ea8c90dd37242fe686e9ab0b80f9c397bdfdf3596b28b036ac9308c456257e7a3cc607657c4e98853647e85d23f8b1588d81
- SSDEEP
  
  12288:3X+4dH3qy2pEKjy2YkbOtscQeH8XDYTDL832UtYnUg3:H+4dH3enjy2ZbOzTceUq
Score

10^/10

quasar slave spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavespywaretrojan

behavioral2

quasarslavespywaretrojan

behavioral3

quasarslavespywaretrojan

behavioral4

quasarslavespywaretrojan

© 2018-2024

Terms | Privacy