quasar | 6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc | Triage

Submit
Reports

Overview

overview

Static

static

Client-built.exe

windows10-1703-x64

Client-built.exe

windows10-2004-x64

Sharing

General

Target

Client-built.exe
Size

3.1MB
Sample

240523-nz8e9sfc96
MD5

97cd39b10b06129cb419a72e1a1827b0
SHA1

d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA256

6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512

266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
SSDEEP

49152:Kv7I22SsaNYfdPBldt698dBcjH2CRJ6nbR3LoGdDyaTHHB72eh2NT:KvE22SsaNYfdPBldt6+dBcjH2CRJ65T

Score

10^/10

quasar romka bootkit persistence spyware stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Client-built.exe

Resource

win10-20240404-en

quasar romka bootkit persistence spyware stealer trojan

windows10-1703-x64

18 signatures

300 seconds

Behavioral task

behavioral2

Sample

Client-built.exe

Resource

win10v2004-20240426-en

quasar romka spyware trojan

windows10-2004-x64

14 signatures

300 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

C2

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes

encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
install_name
Romilyaa.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows 10 Boot
subdirectory
SubDir

Targets

- Target
  
  Client-built.exe
- Size
  
  3.1MB
- MD5
  
  97cd39b10b06129cb419a72e1a1827b0
- SHA1
  
  d05b2d7cfdf8b12746ffc7a59be36634852390bd
- SHA256
  
  6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
- SHA512
  
  266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
- SSDEEP
  
  49152:Kv7I22SsaNYfdPBldt698dBcjH2CRJ6nbR3LoGdDyaTHHB72eh2NT:KvE22SsaNYfdPBldt6+dBcjH2CRJ65T
Score

10^/10

quasar romka bootkit persistence spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Pre-OS Boot

Bootkit

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarromkabootkitpersistencespywarestealertrojan

behavioral2

quasarromkaspywaretrojan

© 2018-2024

Terms | Privacy