quasar | 238be5cbe7d3d26bd815468a35061520c984e73ef6eeefe202ad5a173372f136 | Triage

Submit
Reports

Overview

overview

Static

static

1

Client-built.bat

windows10-1703-x64

Client-built.bat

windows10-2004-x64

Client-built.bat

windows11-21h2-x64

Sharing

General

Target

Client-built.bat
Size

1.9MB
Sample

240512-sp5c3sca5s
MD5

f8783f60ab5e5665f88d15125937097a
SHA1

d401c0545a1596c34e0a0f5d7f4a8e90c0444b07
SHA256

238be5cbe7d3d26bd815468a35061520c984e73ef6eeefe202ad5a173372f136
SHA512

7173b42b72b2b4bfed091945c1843dfe5acdcc701db37e6432eaabd96ef74252ee21ed01ea67e56ebc12e70248b5eaf176108886a2199ad01fc4928fd51a76b3
SSDEEP

24576:CkBOAnFF88UI+78BqCNpzIihx/5b7Oy/HUagEc/Hhns1UUM92VzwvVS74y0zGQoJ:CGeJlCnxlANNKzwSX4yJjh

Score

10^/10

quasar new execution persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Client-built.bat

Resource

win10-20240404-en

quasar new execution spyware trojan

windows10-1703-x64

12 signatures

300 seconds

Behavioral task

behavioral2

Sample

Client-built.bat

Resource

win10v2004-20240508-en

quasar new execution spyware trojan

windows10-2004-x64

17 signatures

300 seconds

Behavioral task

behavioral3

Sample

Client-built.bat

Resource

win11-20240426-en

quasar new execution persistence spyware trojan

windows11-21h2-x64

19 signatures

300 seconds

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

New

C2

even-lemon.gl.at.ply.gg:33587

Mutex

2bce5514-d527-4787-825c-3042f9dd5ede

Attributes

encryption_key
501DB7A849356BF2C272A70D53FAF39F17D4245C
install_name
WinHost32.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
Powershell
subdirectory
System32

Targets

- Target
  
  Client-built.bat
- Size
  
  1.9MB
- MD5
  
  f8783f60ab5e5665f88d15125937097a
- SHA1
  
  d401c0545a1596c34e0a0f5d7f4a8e90c0444b07
- SHA256
  
  238be5cbe7d3d26bd815468a35061520c984e73ef6eeefe202ad5a173372f136
- SHA512
  
  7173b42b72b2b4bfed091945c1843dfe5acdcc701db37e6432eaabd96ef74252ee21ed01ea67e56ebc12e70248b5eaf176108886a2199ad01fc4928fd51a76b3
- SSDEEP
  
  24576:CkBOAnFF88UI+78BqCNpzIihx/5b7Oy/HUagEc/Hhns1UUM92VzwvVS74y0zGQoJ:CGeJlCnxlANNKzwSX4yJjh
Score

10^/10

quasar new execution spyware trojan persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarnewexecutionspywaretrojan

behavioral2

quasarnewexecutionspywaretrojan

behavioral3

quasarnewexecutionpersistencespywaretrojan

© 2018-2024

Terms | Privacy