Overview

overview

10

Static

static

10

spare.gg advanced.exe

windows7-x64

7

spare.gg advanced.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    spare.gg advanced.exe

  • Size

    9.4MB

  • Sample

    240522-ztvg1agf23

  • MD5

    84b24fd57af6b0e675d4712551299eaa

  • SHA1

    580c5dbab07936a8d817e4d95e79df5955127fb4

  • SHA256

    e23c864c53fb943c8675556990cd030d5b9c12f03becf8ac570793f1549ba08b

  • SHA512

    0170138bd6d8de879021d3c85c4ce5133dd936c7ce3be965fbda3fdc2ac395e7a244026dabac84ae6f0d7a6ee6c47aa67ed06aa464814588e8e03a8b6a672b1d

  • SSDEEP

    196608:j+b+sxfNQvKe0urErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WE:0Xxf2Se0urEUWjhEhn01tv392WE

Score
10/10
blankgrabberquasaroffice04executionspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

86.13.66.89:4782

Mutex

584f887c-7024-4e16-a56b-684919f2613f

Attributes
  • encryption_key

    F478C43DE74A681AD4F5AF6B28E598051B310CDC

  • install_name

    WPShell.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows PowerShell

  • subdirectory

    SubDir

Targets

    • Target

      spare.gg advanced.exe

    • Size

      9.4MB

    • MD5

      84b24fd57af6b0e675d4712551299eaa

    • SHA1

      580c5dbab07936a8d817e4d95e79df5955127fb4

    • SHA256

      e23c864c53fb943c8675556990cd030d5b9c12f03becf8ac570793f1549ba08b

    • SHA512

      0170138bd6d8de879021d3c85c4ce5133dd936c7ce3be965fbda3fdc2ac395e7a244026dabac84ae6f0d7a6ee6c47aa67ed06aa464814588e8e03a8b6a672b1d

    • SSDEEP

      196608:j+b+sxfNQvKe0urErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WE:0Xxf2Se0urEUWjhEhn01tv392WE

    Score
    10/10
    upxquasaroffice04executionspywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks