quasar | 3026eb3fcde09d0d4e0695b3f74cb420b1e9d64b30c1ced3ed6a20f085a34d51 | Triage

Submit
Reports

Overview

overview

Static

static

1

Fixer-obf.bat

windows10-1703-x64

Fixer-obf.bat

windows10-2004-x64

Fixer-obf.bat

windows11-21h2-x64

Sharing

General

Target

Fixer-obf.bat
Size

24KB
Sample

240512-w74faadd84
MD5

03361badff8e7ecad39acd34f5f14749
SHA1

c023fd9bd854f59f527141824e8fa6a311a57858
SHA256

3026eb3fcde09d0d4e0695b3f74cb420b1e9d64b30c1ced3ed6a20f085a34d51
SHA512

796e7466d4af6e2d52bc265b6a9d0881989cebd52ff6c6bae8d3817db61f50dc26e5982a6eb5fe16bf4e7d5cf3aa09a5a33e35c51c94a58d32438684fb88f979
SSDEEP

384:UOpRAoUR7FKSVwpehr0kqTdyUO0OPniIjSFI:zpRrURhKKEehr0kqTIUO0OPnih+

Score

10^/10

quasar rpad discovery execution persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Fixer-obf.bat

Resource

win10-20240404-en

quasar rpad discovery execution persistence spyware trojan

windows10-1703-x64

21 signatures

300 seconds

Behavioral task

behavioral2

Sample

Fixer-obf.bat

Resource

win10v2004-20240226-en

quasar rpad discovery execution spyware trojan

windows10-2004-x64

24 signatures

300 seconds

Behavioral task

behavioral3

Sample

Fixer-obf.bat

Resource

win11-20240426-en

quasar rpad discovery execution spyware trojan

windows11-21h2-x64

21 signatures

300 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

RPad

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-okPqrmZ8kNVUcS4Rp0

Attributes

encryption_key
XmcBnPuLlN1e8SHIRR1z
install_name
$sxr-powershell.exe
log_directory
$SXR-LOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  Fixer-obf.bat
- Size
  
  24KB
- MD5
  
  03361badff8e7ecad39acd34f5f14749
- SHA1
  
  c023fd9bd854f59f527141824e8fa6a311a57858
- SHA256
  
  3026eb3fcde09d0d4e0695b3f74cb420b1e9d64b30c1ced3ed6a20f085a34d51
- SHA512
  
  796e7466d4af6e2d52bc265b6a9d0881989cebd52ff6c6bae8d3817db61f50dc26e5982a6eb5fe16bf4e7d5cf3aa09a5a33e35c51c94a58d32438684fb88f979
- SSDEEP
  
  384:UOpRAoUR7FKSVwpehr0kqTdyUO0OPniIjSFI:zpRrURhKKEehr0kqTIUO0OPnih+
Score

10^/10

quasar rpad discovery execution persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarrpaddiscoveryexecutionpersistencespywaretrojan

behavioral2

quasarrpaddiscoveryexecutionspywaretrojan

behavioral3

quasarrpaddiscoveryexecutionspywaretrojan

© 2018-2024

Terms | Privacy