quasar | 2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1 | Triage

Sharing

General

Target

48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118
Size

1.2MB
Sample

240515-2e76nafc8z
MD5

48578ca46a647e621583b8b3da2bbbc4
SHA1

d18da5d905ddc8977a63019df1aa32032c94a946
SHA256

2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
SHA512

55da81e0b1002f6678d64989939836606c40da7b65c43be12de41e0b5a365ed73d9b97aa41f94f9deea5d813707353630b7c70740f523af5aa576dd80bdde0ec
SSDEEP

24576:X53uhF8ZcjXB476PaZMr5U3aDAWaPUPTRNTwX6KR8+:X5+hFxPaZSCOtNkq8

Score

10^/10

quasar office spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

5.45.65.1:5552

Mutex

yeGmQfVnPgbImyPaxF

Attributes

encryption_key
983PIud97BRSEjju8fCD
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  48578ca46a647e621583b8b3da2bbbc4
- SHA1
  
  d18da5d905ddc8977a63019df1aa32032c94a946
- SHA256
  
  2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
- SHA512
  
  55da81e0b1002f6678d64989939836606c40da7b65c43be12de41e0b5a365ed73d9b97aa41f94f9deea5d813707353630b7c70740f523af5aa576dd80bdde0ec
- SSDEEP
  
  24576:X53uhF8ZcjXB476PaZMr5U3aDAWaPUPTRNTwX6KR8+:X5+hFxPaZSCOtNkq8
Score

10^/10

quasar office spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarofficespywaretrojan