quasar | 070ad3ab33bffaf96b8638b302117cde7f4f417759b00f8497b1a1c076844575 | Triage

Submit
Reports

Overview

overview

Static

static

3

39d0db6e95...18.exe

windows7-x64

39d0db6e95...18.exe

windows10-2004-x64

Sharing

General

Target

39d0db6e95e2a7e23fcd637085f8496d_JaffaCakes118
Size

1.8MB
Sample

240512-nc3aqsce4y
MD5

39d0db6e95e2a7e23fcd637085f8496d
SHA1

5293d9124ca789c27c77ee9f2a27dbdbd5a619f2
SHA256

070ad3ab33bffaf96b8638b302117cde7f4f417759b00f8497b1a1c076844575
SHA512

f07ebd353dc6a0e87481d6a5e3abe9beaf7ed337eae4acdda7074aa84ef09dfe30835f9ccf764584676453fdaa17fe96f077815ad01c885f08e786eacd2a3f3f
SSDEEP

12288:5WyG8PdU1cWK84twtShjMXoT8hke1X3v7F:3G8POL4twIhw4T8hke1HR

Score

10^/10

quasar office04 spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

39d0db6e95e2a7e23fcd637085f8496d_JaffaCakes118.exe

Resource

win7-20240215-en

quasar office04 spyware trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

39d0db6e95e2a7e23fcd637085f8496d_JaffaCakes118.exe

Resource

win10v2004-20240426-en

quasar office04 spyware trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1250

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

dedi001.dynip.online:1604

Mutex

QSR_MUTEX_fUMlvet13pGJVZGtTl

Attributes

encryption_key
cmUQwSOc5zCRWKiUUZBH
install_name
audiodg.exe
log_directory
Logs
reconnect_delay
1250
startup_key
Cortana
subdirectory
temp000

Targets

- Target
  
  39d0db6e95e2a7e23fcd637085f8496d_JaffaCakes118
- Size
  
  1.8MB
- MD5
  
  39d0db6e95e2a7e23fcd637085f8496d
- SHA1
  
  5293d9124ca789c27c77ee9f2a27dbdbd5a619f2
- SHA256
  
  070ad3ab33bffaf96b8638b302117cde7f4f417759b00f8497b1a1c076844575
- SHA512
  
  f07ebd353dc6a0e87481d6a5e3abe9beaf7ed337eae4acdda7074aa84ef09dfe30835f9ccf764584676453fdaa17fe96f077815ad01c885f08e786eacd2a3f3f
- SSDEEP
  
  12288:5WyG8PdU1cWK84twtShjMXoT8hke1X3v7F:3G8POL4twIhw4T8hke1HR
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04spywaretrojan

behavioral2

quasaroffice04spywaretrojan

© 2018-2024

Terms | Privacy