Overview

overview

10

Static

static

3

2024-05-23...ar.exe

windows7-x64

9

2024-05-23...ar.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-05-23_86f8ab131d760b36b3606c3297c907c3_hiddentear

  • Size

    175KB

  • Sample

    240523-zzmpcagf72

  • MD5

    86f8ab131d760b36b3606c3297c907c3

  • SHA1

    5ca6c76dc0c411384408ad093bcd321ed0c01603

  • SHA256

    968f80b313d7b5735455963fbc8423ab85c6ac4f20ee516257442e3a04b47a57

  • SHA512

    32df021c92ad01eed2a79e3310e9364c210eb701d040a3cf783102aa5f0b68989d75502b49a159a9f6a7bd859b1373a7db2f59ba8a281cbce028d9dca27fea7d

  • SSDEEP

    3072:iHBOqsKPjqj7hGGM+lmsolAIrRuw+mqv9j1MWLQ:ihODGl+lDAA

Score
10/10
quasaroffice04executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.81.150.172:4782

Mutex

11baa5a5-5e9e-4125-84cc-37d234d4726b

Attributes
  • encryption_key

    5F9E03EC6830CA20E37DC97AEE1BB847C8BF19CD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      2024-05-23_86f8ab131d760b36b3606c3297c907c3_hiddentear

    • Size

      175KB

    • MD5

      86f8ab131d760b36b3606c3297c907c3

    • SHA1

      5ca6c76dc0c411384408ad093bcd321ed0c01603

    • SHA256

      968f80b313d7b5735455963fbc8423ab85c6ac4f20ee516257442e3a04b47a57

    • SHA512

      32df021c92ad01eed2a79e3310e9364c210eb701d040a3cf783102aa5f0b68989d75502b49a159a9f6a7bd859b1373a7db2f59ba8a281cbce028d9dca27fea7d

    • SSDEEP

      3072:iHBOqsKPjqj7hGGM+lmsolAIrRuw+mqv9j1MWLQ:ihODGl+lDAA

    Score
    10/10
    quasaroffice04executionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables packed with 9Rays.Net Spices.Net Obfuscator.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks