quasar | 5f4e3342d7148047d9b8a6e3a6626fc6a28e05fea788d2345c38ac7ccb7afb1f | Triage

Sharing

General

Target

RobloxPingOptimizer-Main-x64-NEW.zip
Size

10.7MB
Sample

240521-1317ksca42
MD5

47b64de4515cb5fd15042f21d366000d
SHA1

4f39c55dd1e5f78fcc62d9253a660c9189bef921
SHA256

5f4e3342d7148047d9b8a6e3a6626fc6a28e05fea788d2345c38ac7ccb7afb1f
SHA512

19c7b1a33c2ea08a8ab10ba32834ce174f9e2987f951e24fa0c202ed78edb547bfaf8c428f484b40c8fabf4d11eabe07cede7136c65c78d003e56fa739e2015c
SSDEEP

196608:3stpCTmsmbOlv+STCtVW812O8KVsKjpoeW/RKMi7r6CPIBF7657ma/VOaJ:3+i+SGtb1CONpQ/Ipn60M8577/saJ

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Targets

- Target
  
  RobloxPingOptimizer-Main-x64-NEW.zip
- Size
  
  10.7MB
- MD5
  
  47b64de4515cb5fd15042f21d366000d
- SHA1
  
  4f39c55dd1e5f78fcc62d9253a660c9189bef921
- SHA256
  
  5f4e3342d7148047d9b8a6e3a6626fc6a28e05fea788d2345c38ac7ccb7afb1f
- SHA512
  
  19c7b1a33c2ea08a8ab10ba32834ce174f9e2987f951e24fa0c202ed78edb547bfaf8c428f484b40c8fabf4d11eabe07cede7136c65c78d003e56fa739e2015c
- SSDEEP
  
  196608:3stpCTmsmbOlv+STCtVW812O8KVsKjpoeW/RKMi7r6CPIBF7657ma/VOaJ:3+i+SGtb1CONpQ/Ipn60M8577/saJ
Score

1^/10
behavioral1 behavioral2
- Target
  
  RobloxPingOptimizer-Main-x64.NEW/RobloxPingOptimizer-Main-x64/Main/README.txt
- Size
  
  118B
- MD5
  
  8d47a024ff0842ca55a5cad3a82633a7
- SHA1
  
  b04796de3c78fc3ee10492049e6fc8fc0c810892
- SHA256
  
  0abe451c981cb71bed7b8baab58927199a645de43eb0d3f034c5e222b508bcf6
- SHA512
  
  b9d6f59698779765afe0dfcbe00ef4fa8641173f5c84e6735c548f573545e88720115853aaa8842596bd9a718264250283822c64c9cc4f9b49fc527963c0650e
Score

1^/10
behavioral3 behavioral4
- Target
  
  RobloxPingOptimizer-Main-x64.NEW/RobloxPingOptimizer-Main-x64/Main/RobloxPingOptimizer.bat
- Size
  
  15.6MB
- MD5
  
  0e7fa38a2267f6c3c8b0afafda56ef99
- SHA1
  
  e116a71ae311011f1fc2697e84575990b75d96b4
- SHA256
  
  30800e9982e73ce9a2f315b05630225f57b6ae1d219902b8dcde6031d840a553
- SHA512
  
  75f5108166ac7224f5797941f57ada798a1bb760850677618770fb4aa7c9dd3d9298013afde66a0eba303852c9dfb2277b8bda61243c161b35975f1030ed9e98
- SSDEEP
  
  49152:Cdxc9riM4QO4C2ltO7iHK35ROUcdDvgVNfLH9QDn7OusKIV+cDBGVKKjU5ECeNNI:k
Score

10^/10

execution quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

quasarexecutionspywaretrojan