quasar | 98bbe270ca87c08856cc3dceafef76824baa96fe031d7f00f0517b2fd898e117 | Triage

Submit
Reports

Overview

overview

Static

static

R0X-Built.exe

windows10-2004-x64

Sharing

General

Target

R0X-Built.exe
Size

409KB
Sample

240510-g7499abd49
MD5

a4a9308ce3b465b6b2dccb94b86d8a83
SHA1

7e594db5d7adbffa0ca6cadad7a8b037156d90cc
SHA256

98bbe270ca87c08856cc3dceafef76824baa96fe031d7f00f0517b2fd898e117
SHA512

393af569d8d3cbe2a12fe0c938ccd15ff2247cd1e916de71b8567cb0beb7aa93991735baf9e00db657fa626e797a70699f290a96405a8abf03c3bb24e25f977b
SSDEEP

12288:bpiREGJofVF99JK03/Mi57Ey6srDZkRYjT5+Mn2FyaZs:1wpJy9JK0PMi5oivSdi

Score

10^/10

quasar slave spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

R0X-Built.exe

Resource

win10v2004-20240508-en

quasar slave spyware trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

looking-memphis.gl.at.ply.gg:45119:41251

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
740ewEJmzLdsHQMggIQI
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-powershell
subdirectory
Windows

Targets

- Target
  
  R0X-Built.exe
- Size
  
  409KB
- MD5
  
  a4a9308ce3b465b6b2dccb94b86d8a83
- SHA1
  
  7e594db5d7adbffa0ca6cadad7a8b037156d90cc
- SHA256
  
  98bbe270ca87c08856cc3dceafef76824baa96fe031d7f00f0517b2fd898e117
- SHA512
  
  393af569d8d3cbe2a12fe0c938ccd15ff2247cd1e916de71b8567cb0beb7aa93991735baf9e00db657fa626e797a70699f290a96405a8abf03c3bb24e25f977b
- SSDEEP
  
  12288:bpiREGJofVF99JK03/Mi57Ey6srDZkRYjT5+Mn2FyaZs:1wpJy9JK0PMi5oivSdi
Score

10^/10

quasar slave spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslavespywaretrojan

© 2018-2024

Terms | Privacy