quasar | 8ad13febcc803f9ee8a83e5e5dad20e4ab0083b206d2b2c1e1bd5809125031be

General

Target

3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118
Size

470KB
Sample

240513-xzhz2sae5w
MD5

3c5a4a6e0984220de5f8945f7e7d2fb7
SHA1

d8cc682345256e7529c06bf6dc61bd262bfb724f
SHA256

8ad13febcc803f9ee8a83e5e5dad20e4ab0083b206d2b2c1e1bd5809125031be
SHA512

22ecf95c7aab5c71beda5cf45f07d10e3d7b174751d46d5f157239272b84ec4001cc1ddcc4cc9d49c6c70dbb64cdda6e3b0111a0cb53266d23ded811f8905aa0
SSDEEP

6144:58E5banFRAD6ByRaFqLjWg5iVkLWHJsFZMrATekM5fLH7kWBxjdpCPyS9TDEx:t6ROuBOjWvVkLWH+TjSllDhBrpCP2

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

anglekeys.duckdns.org:4782

anglekeys.dynu.com:4782

anglekeys.dynu.net:4782

Mutex

QSR_MUTEX_sgMP7QuqDU0bxo1dBD

Attributes

encryption_key
NCiE6G1xAqLWGNL2JrfI
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  3c5a4a6e0984220de5f8945f7e7d2fb7_JaffaCakes118
- Size
  
  470KB
- MD5
  
  3c5a4a6e0984220de5f8945f7e7d2fb7
- SHA1
  
  d8cc682345256e7529c06bf6dc61bd262bfb724f
- SHA256
  
  8ad13febcc803f9ee8a83e5e5dad20e4ab0083b206d2b2c1e1bd5809125031be
- SHA512
  
  22ecf95c7aab5c71beda5cf45f07d10e3d7b174751d46d5f157239272b84ec4001cc1ddcc4cc9d49c6c70dbb64cdda6e3b0111a0cb53266d23ded811f8905aa0
- SSDEEP
  
  6144:58E5banFRAD6ByRaFqLjWg5iVkLWHJsFZMrATekM5fLH7kWBxjdpCPyS9TDEx:t6ROuBOjWvVkLWH+TjSllDhBrpCP2
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2