quasar | 5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46 | Triage

Submit
Reports

Overview

overview

Static

static

1

Client-built.bat

windows10-1703-x64

Client-built.bat

windows10-2004-x64

Client-built.bat

windows11-21h2-x64

Sharing

General

Target

Client-built.bat
Size

1.9MB
Sample

240512-sj843sbg3w
MD5

44523454be47061f187cfdc2ec60834a
SHA1

86136762b9296ef6517bc01b7764e59398bab09b
SHA256

5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46
SHA512

4c5f35a45ff1cfc394e19bbf1e4080fd43ea2ef9880b16b6fc316c85dc7fbdb222d03821224b3eac90a971c8f69a05ac96d86f7367cad658cfb229bf5f966080
SSDEEP

24576:kxASqRPmTwkE+UrVuwEQ6/RZhDGYAiM37i9yfela6S2ZZoB+a7ZpFifK7+tLe61s:k+TEwl7Q865Zuimi7/E4mp7kScR0

Score

10^/10

quasar new execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Client-built.bat

Resource

win10-20240404-en

quasar new execution spyware trojan

windows10-1703-x64

13 signatures

300 seconds

Behavioral task

behavioral2

Sample

Client-built.bat

Resource

win10v2004-20240426-en

quasar new execution spyware trojan

windows10-2004-x64

15 signatures

300 seconds

Behavioral task

behavioral3

Sample

Client-built.bat

Resource

win11-20240508-en

quasar new execution spyware trojan

windows11-21h2-x64

13 signatures

300 seconds

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

New

C2

even-lemon.gl.at.ply.gg:33587

Mutex

2bce5514-d527-4787-825c-3042f9dd5ede

Attributes

encryption_key
501DB7A849356BF2C272A70D53FAF39F17D4245C
install_name
WinHost32.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
Powershell
subdirectory
System32

Targets

- Target
  
  Client-built.bat
- Size
  
  1.9MB
- MD5
  
  44523454be47061f187cfdc2ec60834a
- SHA1
  
  86136762b9296ef6517bc01b7764e59398bab09b
- SHA256
  
  5a88206b2a68e2c0175d091b3a0c7b133a1b35740b4acc33f5aaebe23fc97e46
- SHA512
  
  4c5f35a45ff1cfc394e19bbf1e4080fd43ea2ef9880b16b6fc316c85dc7fbdb222d03821224b3eac90a971c8f69a05ac96d86f7367cad658cfb229bf5f966080
- SSDEEP
  
  24576:kxASqRPmTwkE+UrVuwEQ6/RZhDGYAiM37i9yfela6S2ZZoB+a7ZpFifK7+tLe61s:k+TEwl7Q865Zuimi7/E4mp7kScR0
Score

10^/10

quasar new execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarnewexecutionspywaretrojan

behavioral2

quasarnewexecutionspywaretrojan

behavioral3

quasarnewexecutionspywaretrojan

© 2018-2024

Terms | Privacy