blankgrabber | e23c864c53fb943c8675556990cd030d5b9c12f03becf8ac570793f1549ba08b | Triage

Submit
Reports

Overview

overview

Static

static

spare.gg advanced.exe

windows7-x64

7

spare.gg advanced.exe

windows10-2004-x64

Sharing

General

Target

spare.gg advanced.exe
Size

9.4MB
Sample

240522-ztvg1agf23
MD5

84b24fd57af6b0e675d4712551299eaa
SHA1

580c5dbab07936a8d817e4d95e79df5955127fb4
SHA256

e23c864c53fb943c8675556990cd030d5b9c12f03becf8ac570793f1549ba08b
SHA512

0170138bd6d8de879021d3c85c4ce5133dd936c7ce3be965fbda3fdc2ac395e7a244026dabac84ae6f0d7a6ee6c47aa67ed06aa464814588e8e03a8b6a672b1d
SSDEEP

196608:j+b+sxfNQvKe0urErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WE:0Xxf2Se0urEUWjhEhn01tv392WE

Score

10^/10

blankgrabber quasar office04 execution spyware stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

spare.gg advanced.exe

Resource

win7-20231129-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

spare.gg advanced.exe

Resource

win10v2004-20240508-en

quasar office04 execution spyware stealer trojan upx

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

86.13.66.89:4782

Mutex

584f887c-7024-4e16-a56b-684919f2613f

Attributes

encryption_key
F478C43DE74A681AD4F5AF6B28E598051B310CDC
install_name
WPShell.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows PowerShell
subdirectory
SubDir

Targets

- Target
  
  spare.gg advanced.exe
- Size
  
  9.4MB
- MD5
  
  84b24fd57af6b0e675d4712551299eaa
- SHA1
  
  580c5dbab07936a8d817e4d95e79df5955127fb4
- SHA256
  
  e23c864c53fb943c8675556990cd030d5b9c12f03becf8ac570793f1549ba08b
- SHA512
  
  0170138bd6d8de879021d3c85c4ce5133dd936c7ce3be965fbda3fdc2ac395e7a244026dabac84ae6f0d7a6ee6c47aa67ed06aa464814588e8e03a8b6a672b1d
- SSDEEP
  
  196608:j+b+sxfNQvKe0urErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WE:0Xxf2Se0urEUWjhEhn01tv392WE
Score

10^/10

upx quasar office04 execution spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Process Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

quasaroffice04executionspywarestealertrojanupx

© 2018-2024

Terms | Privacy