quasar | dce8aa2451ab2695e3bc88e6a7aa6b4bc0caea02d9b20995a2a2ffba17094139

General

Target

PlutoBETAV2.rar
Size

17.3MB
Sample

240517-qft5msac5z
MD5

f5826a96fb92493dc08adfea4e762273
SHA1

b756604b32dcef3aee64e8f338438c92e194520d
SHA256

dce8aa2451ab2695e3bc88e6a7aa6b4bc0caea02d9b20995a2a2ffba17094139
SHA512

481342db1076482767df9dcef0c1696b381c83da04e6e16fff8fc9eaba9a5cbe1f507c08ab96ddb6f214b85cfdb48f67b8f1ccd36d4ce43ad45fc7e8e57ccffc
SSDEEP

393216:joAreTqwqv2Ztrc0MvGXkOyMhds3mbqH0agLHCfvR+VQIMR:jVreutvhIUkWsqH0ag+RW8

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PoofNRico

C2

nahchris-49021.portmap.host:49021

Mutex

1a5d095f-2c59-4b3f-b053-5bd928b2e541

Attributes

encryption_key
ADBAB4BC16998E7E1913E54C27829FE47C72BE6D
install_name
PlutoBETAv2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DiscordUpdater.exe
subdirectory
PlutoBETAv2

Targets

- Target
  
  PlutoBETA.2/PlutoBETA.V2.exe
- Size
  
  3.1MB
- MD5
  
  1b84762faebd8469f686f703cbaef7b9
- SHA1
  
  41e135a8a2a9525e09a2303055430e36d95780cd
- SHA256
  
  4b857bc454edef7fa460fecb36f676fa38bab8b3304f3f07d12b9777fa0b68cb
- SHA512
  
  da9482a2ef6fbe659afff4c5a0d1911145bb93be47dd5a714e4e1c24802f1e9d9669f5a209665a7da752e56d2c82c41e48c5bd951d26a2cd763fc8a62d4e703c
- SSDEEP
  
  49152:PvylL26AaNeWgPhlmVqvMQ7XSKO1RboGreTHHB72eh2NT:PvqL26AaNeWgPhlmVqkQ7XSKO1l
Score

10^/10

quasar poofnrico spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
behavioral1
- Target
  
  PlutoBETA.2/PlutoBETA.exe
- Size
  
  37.6MB
- MD5
  
  529f707d764d2da27d2b8f982e5c3c37
- SHA1
  
  e4ab7395a54777c310259b975e6ccbd1cc934d37
- SHA256
  
  90473bef6e0137f9d543260dec681ee7ce0f0e833f4084b4d427c1fea3f49045
- SHA512
  
  67e551b165f02fabd406afaa5a88cf75aa69cec689b544d41d093656783828236813102cbab8d8868457eec070039d381fe544c9215d07f66730fe4e97ceef63
- SSDEEP
  
  393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgh96l+ZArYsFRl7du:J3on1HvSzxAMNhFZArYsSPvp7OZuF
Score

8^/10

execution persistence spyware stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Drops file in System32 directory
behavioral2
- Target
  
  PlutoBETA.2/SetupVideo - Shortcut.lnk
- Size
  
  1015B
- MD5
  
  d835bf06e41cad74eee11c2cc1322107
- SHA1
  
  35f73d77ff355ba4aa08a71cec1d49002edd5175
- SHA256
  
  fd607023b58ec7535ff83ad28327e15cfb758551fcee20c508d2edead1233403
- SHA512
  
  965f62437d740e6bb330b78da1b26642aaba9f1dbd6648b5914263289424715a9e62767bef4f3a6e5f2a57b71c112263d2c58e5ea5572f5dde70a164b39d8942
Score

3^/10
behavioral3