quasar | b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd

General

Target

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd
Size

539KB
Sample

240527-ceernscc5z
MD5

c05d4bfb1c0e89db58fa981980938b76
SHA1

12801b26c7b68224c8540ad08ad9387110d0fd46
SHA256

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd
SHA512

926f6d48a44b7b56667e5b74dc3f7cff513f6ae02edd07df0ca2e5bc21690e5cdef77213307d8595a9a4127b582f5fc50aab0b97350e08b7486c33e4ada651c5
SSDEEP

12288:unm5pMGjw5LSk0zWbzGsoYFAY7NvlDmmM:um5GGjw5LSk0zWbzRoYbvlSH

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Controlhost

C2

121.43.158.106:4782

yc01h.11ychos.xyz:4782

Mutex

QSR_MUTEX_GFWuzMTNQOijYUKopR

Attributes

encryption_key
Xym3BhtshKCyrit7obQT8XbWGz4i7Yw4
install_name
Controlhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Controlhost
subdirectory
Controlhost

Targets

- Target
  
  b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd
- Size
  
  539KB
- MD5
  
  c05d4bfb1c0e89db58fa981980938b76
- SHA1
  
  12801b26c7b68224c8540ad08ad9387110d0fd46
- SHA256
  
  b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd
- SHA512
  
  926f6d48a44b7b56667e5b74dc3f7cff513f6ae02edd07df0ca2e5bc21690e5cdef77213307d8595a9a4127b582f5fc50aab0b97350e08b7486c33e4ada651c5
- SSDEEP
  
  12288:unm5pMGjw5LSk0zWbzGsoYFAY7NvlDmmM:um5GGjw5LSk0zWbzRoYbvlSH
Score

10^/10

quasar controlhost spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Detects Windows executables referencing non-Windows User-Agents
- Detects executables containing common artifacts observed in infostealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing common artifacts observed in infostealers

Checks computer location settings

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2