quasar | 04f86ef6a2870bcaff958187d1bbf7281e6c8c1c1f2fbefddc11e3a379e4f9b9 | Triage

Submit
Reports

Overview

overview

Static

static

Uni.exe

windows11-21h2-x64

Sharing

General

Target

Uni.exe
Size

409KB
Sample

240514-wvkgmshe3x
MD5

16e4226eddebe2148b46353c351ec570
SHA1

5879aab64c4d4c086f24807f85c3f1bec657db9c
SHA256

04f86ef6a2870bcaff958187d1bbf7281e6c8c1c1f2fbefddc11e3a379e4f9b9
SHA512

7fa89b0aee061fca53534c7e38dfa873235095e32f64e87d7a8457e765f804d8f2408e90b90a484ea3e9c18d1110a5667de9aab14d9d9e22911433e9da4cfd38
SSDEEP

6144:cMfPp5S6M1Xy0vjzilQA9QU9sX0bx4UmWOQ6rhxODbfFOqb:Rpg6M1i+jzilQoAVUmjJtx2fF5b

Score

10^/10

quasar seroxen spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Uni.exe

Resource

win11-20240508-en

quasar seroxen spyware trojan

windows11-21h2-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-NCZpRTaGL620kkY20c

Attributes

encryption_key
0CaeSao9jSngJXRQGaoy
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Targets

- Target
  
  Uni.exe
- Size
  
  409KB
- MD5
  
  16e4226eddebe2148b46353c351ec570
- SHA1
  
  5879aab64c4d4c086f24807f85c3f1bec657db9c
- SHA256
  
  04f86ef6a2870bcaff958187d1bbf7281e6c8c1c1f2fbefddc11e3a379e4f9b9
- SHA512
  
  7fa89b0aee061fca53534c7e38dfa873235095e32f64e87d7a8457e765f804d8f2408e90b90a484ea3e9c18d1110a5667de9aab14d9d9e22911433e9da4cfd38
- SSDEEP
  
  6144:cMfPp5S6M1Xy0vjzilQA9QU9sX0bx4UmWOQ6rhxODbfFOqb:Rpg6M1i+jzilQoAVUmjJtx2fF5b
Score

10^/10

quasar seroxen spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarseroxenspywaretrojan

© 2018-2024

Terms | Privacy