quasar | aebe0bafeb12706e614a45f2df40518d32d502093517ce95e2d3c1bbfd64ca67 | Triage

Submit
Reports

Overview

overview

Static

static

1

Fix.bat

windows10-1703-x64

Fix.bat

windows10-2004-x64

Fix.bat

windows11-21h2-x64

Sharing

General

Target

Fix.bat
Size

621B
Sample

240512-xpf3psed57
MD5

e235e723f57a72ef725306c3e14d4726
SHA1

9b2153053f8e89c300e32da5df32e9b990594aac
SHA256

aebe0bafeb12706e614a45f2df40518d32d502093517ce95e2d3c1bbfd64ca67
SHA512

0a4eda531be3904ae944d2c1c43755921cde4333a8e9d6bee6669e3de73b6c7859bb7ab3aa7a712fa2085d3fa1fb1d1ed14e5d6ed488a10bd2f6ab6ed049d25e

Score

10^/10

quasar rpad discovery execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Fix.bat

Resource

win10-20240404-en

quasar rpad discovery execution spyware trojan

windows10-1703-x64

18 signatures

300 seconds

Behavioral task

behavioral2

Sample

Fix.bat

Resource

win10v2004-20240508-en

quasar rpad discovery execution spyware trojan

windows10-2004-x64

25 signatures

300 seconds

Behavioral task

behavioral3

Sample

Fix.bat

Resource

win11-20240508-en

quasar rpad discovery execution spyware trojan

windows11-21h2-x64

21 signatures

300 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

RPad

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-okPqrmZ8kNVUcS4Rp0

Attributes

encryption_key
XmcBnPuLlN1e8SHIRR1z
install_name
$sxr-powershell.exe
log_directory
$SXR-LOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  Fix.bat
- Size
  
  621B
- MD5
  
  e235e723f57a72ef725306c3e14d4726
- SHA1
  
  9b2153053f8e89c300e32da5df32e9b990594aac
- SHA256
  
  aebe0bafeb12706e614a45f2df40518d32d502093517ce95e2d3c1bbfd64ca67
- SHA512
  
  0a4eda531be3904ae944d2c1c43755921cde4333a8e9d6bee6669e3de73b6c7859bb7ab3aa7a712fa2085d3fa1fb1d1ed14e5d6ed488a10bd2f6ab6ed049d25e
Score

10^/10

quasar rpad discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarrpaddiscoveryexecutionspywaretrojan

behavioral2

quasarrpaddiscoveryexecutionspywaretrojan

behavioral3

quasarrpaddiscoveryexecutionspywaretrojan

© 2018-2024

Terms | Privacy