quasar | 2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb | Triage

Submit
Reports

Overview

overview

Static

static

3

2379cbf1b5...bb.exe

windows7-x64

2379cbf1b5...bb.exe

windows10-2004-x64

7

Sharing

General

Target

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
Size

3.2MB
Sample

240527-ylvx5ahb33
MD5

6c16807e4417e60366cde4515d148ab3
SHA1

b8212729ae453b48531c5331cfdaea3aa213cf85
SHA256

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
SHA512

eb448d72c2d7d74cae67cac46ebc0262e50113b40164d0c9837e4e0d481c23038f85a414dd92561fdbe5958ecdbaa86e8cdd921cc1cc2571eb96f9dd76cc2efe
SSDEEP

49152:6oHBs26nkjh/a3LlwLkl6cV0ymGIj5y60K9F8AA/qDTvyNUjqwZjAN+68OxcIzQW:9B6Wh/9L3clIVy6RwA29NGoN+3OWIzQ

Score

10^/10

quasar office04 execution spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

Resource

win7-20240419-en

quasar office04 execution spyware trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

Resource

win10v2004-20240426-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

1`:4782

Mutex

af2aa588-6605-4638-8da1-ae434f48b4a8

Attributes

encryption_key
45ADA9B733F36F800D08E295E8F812611F35D087
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
- Size
  
  3.2MB
- MD5
  
  6c16807e4417e60366cde4515d148ab3
- SHA1
  
  b8212729ae453b48531c5331cfdaea3aa213cf85
- SHA256
  
  2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
- SHA512
  
  eb448d72c2d7d74cae67cac46ebc0262e50113b40164d0c9837e4e0d481c23038f85a414dd92561fdbe5958ecdbaa86e8cdd921cc1cc2571eb96f9dd76cc2efe
- SSDEEP
  
  49152:6oHBs26nkjh/a3LlwLkl6cV0ymGIj5y60K9F8AA/qDTvyNUjqwZjAN+68OxcIzQW:9B6Wh/9L3clIVy6RwA29NGoN+3OWIzQ
Score

10^/10

quasar office04 execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Detects Windows executables referencing non-Windows User-Agents
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables containing common artifacts observed in infostealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to get system information.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04executionspywaretrojan

behavioral2

© 2018-2024

Terms | Privacy