quasar | hxxps://gofile[.]io/d/hOwM5U

General

Target

https://gofile.io/d/hOwM5U
Sample

240527-e8th2agc71

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

4.tcp.eu.ngrok.io:13107

Mutex

a513133e-21b9-4038-af79-f32a1e59acd1

Attributes

encryption_key
67B6CC0217807251E05CEAAFF1F94BE68053AAD2
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
AMD Radeon Graphics 2022
subdirectory
SubDir

Targets

- Target
  
  https://gofile.io/d/hOwM5U
Score

10^/10

quasar xmrig office04 evasion execution miner persistence pyinstaller spyware stealer trojan upx
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1