quasar | ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af | Triage

Sharing

General

Target

666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118
Size

604KB
Sample

240522-h2g37sfh69
MD5

666fbcded6f5f768d1c433710bdfb97a
SHA1

05f5c8ae533b83759c44563e4ec9bd5f352ba52b
SHA256

ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af
SHA512

b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b
SSDEEP

12288:nX7OBZwbZsAiaFyzppofiZu5+5urMBgkS9UOIK:mZw1B8zpYiw5wOMCkSuOIK

Score

10^/10

quasar office04 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

192.168.0.35:6969

Mutex

QSR_MUTEX_A682BosRnRdjNjsQHf

Attributes

encryption_key
kmHPXJ9zDF9KCDBwlFlP
install_name
hello.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowStartup
subdirectory
SubDir

Targets

- Target
  
  666fbcded6f5f768d1c433710bdfb97a_JaffaCakes118
- Size
  
  604KB
- MD5
  
  666fbcded6f5f768d1c433710bdfb97a
- SHA1
  
  05f5c8ae533b83759c44563e4ec9bd5f352ba52b
- SHA256
  
  ab5ac2f957bb8b1f6a9091d6da58f1afb57a15553bad1434020f3ef26b1063af
- SHA512
  
  b2a7b1a6637fd974decb7c31362084c2ded234cec2301dfc5275b295802f98ac77c1e64c1eedaf9acce2168795b4f5cfc7da899734f57ef38bbcf688a295424b
- SSDEEP
  
  12288:nX7OBZwbZsAiaFyzppofiZu5+5urMBgkS9UOIK:mZw1B8zpYiw5wOMCkSuOIK
Score

10^/10

quasar office04 persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04persistencespywaretrojan

behavioral2

quasaroffice04persistencespywaretrojan