blankgrabber | 8441ca56792be9352decdf9e6cc2d4508ca5186ca8cdc46002d2cfce9aa1920f | Triage

Submit
Reports

Overview

overview

Static

static

newest build.exe

windows7-x64

7

newest build.exe

windows10-2004-x64

Sharing

General

Target

newest build.exe
Size

9.4MB
Sample

240522-zylqnagf8v
MD5

ce64ce3d8c816918a69aca1fcd29d8ab
SHA1

3b63ad112e526555c81e3a2e5ad30d12627866af
SHA256

8441ca56792be9352decdf9e6cc2d4508ca5186ca8cdc46002d2cfce9aa1920f
SHA512

6e90572f1ebe89eeab7a5e0e4cb2c2bfce8840f2c8139b5e08033ef49e7fa7d4683acab81aa45bcde5ecae6814481dd8be03c38e158f5f73e8d76971c48b2482
SSDEEP

196608:nEd+sxfN1y/GgYIWurErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WB:eXxfjy/GgAurEUWjhEhn01tv392WB

Score

10^/10

blankgrabber quasar office04 execution spyware stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

newest build.exe

Resource

win7-20240508-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

newest build.exe

Resource

win10v2004-20240426-en

quasar office04 execution spyware stealer trojan upx

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

86.13.66.89:4782

104.28.227.39:4782

Mutex

584f887c-7024-4e16-a56b-684919f2613f

Attributes

encryption_key
F478C43DE74A681AD4F5AF6B28E598051B310CDC
install_name
WPShell.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows PowerShell
subdirectory
SubDir

Targets

- Target
  
  newest build.exe
- Size
  
  9.4MB
- MD5
  
  ce64ce3d8c816918a69aca1fcd29d8ab
- SHA1
  
  3b63ad112e526555c81e3a2e5ad30d12627866af
- SHA256
  
  8441ca56792be9352decdf9e6cc2d4508ca5186ca8cdc46002d2cfce9aa1920f
- SHA512
  
  6e90572f1ebe89eeab7a5e0e4cb2c2bfce8840f2c8139b5e08033ef49e7fa7d4683acab81aa45bcde5ecae6814481dd8be03c38e158f5f73e8d76971c48b2482
- SSDEEP
  
  196608:nEd+sxfN1y/GgYIWurErvI9pWjgU1DEzx7sKL/s1tySEQAkjUWlRH2WB:eXxfjy/GgAurEUWjhEhn01tv392WB
Score

10^/10

upx quasar office04 execution spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasaroffice04executionspywarestealertrojanupx

© 2018-2024

Terms | Privacy