quasar | f97f77ce58a88581f1c85dd041e9eae54355627ecb8a50879e3e2b2d3b93c928

General

Target

Uni.bat
Size

513KB
Sample

240516-wjmgvsgf3s
MD5

0a925ca16ec44e9565027638c4ff20f7
SHA1

d20cce3d5306e093b5229277bf185d8837870434
SHA256

f97f77ce58a88581f1c85dd041e9eae54355627ecb8a50879e3e2b2d3b93c928
SHA512

063be2320c4fabda61ea010ed4cecd8cb48805590d174efe9df5664afe7507ab83087b604ecb9999c7c1c51e13a841735e976d846ef6c693fe0c72ac94ca1d43
SSDEEP

12288:ZUA4TL+TtSVgrl27G3czjtDAJyemKolW59Evy:ZUA4Yx27GYGJyemKtivy

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-AidubAN29rBfWYM23w

Attributes

encryption_key
iBg8YjYObpa3f3ADDras
install_name
$sxr-powershell.exe
log_directory
$SXR-LOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  Uni.bat
- Size
  
  513KB
- MD5
  
  0a925ca16ec44e9565027638c4ff20f7
- SHA1
  
  d20cce3d5306e093b5229277bf185d8837870434
- SHA256
  
  f97f77ce58a88581f1c85dd041e9eae54355627ecb8a50879e3e2b2d3b93c928
- SHA512
  
  063be2320c4fabda61ea010ed4cecd8cb48805590d174efe9df5664afe7507ab83087b604ecb9999c7c1c51e13a841735e976d846ef6c693fe0c72ac94ca1d43
- SSDEEP
  
  12288:ZUA4TL+TtSVgrl27G3czjtDAJyemKolW59Evy:ZUA4Yx27GYGJyemKtivy
Score

10^/10

quasar slave execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4