quasar | 84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724 | Triage

Submit
Reports

Overview

overview

Static

static

1

Shadow-Stealer.bat

windows11-21h2-x64

Sharing

General

Target

Shadow-Stealer.bat
Size

12.5MB
Sample

240528-k1tfysee89
MD5

cf5b412ffc3ce43cd7ddce602fc67f56
SHA1

221dfcd0868158f676c472d8a5bcf9647f0c7d51
SHA256

84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
SHA512

695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
SSDEEP

49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

Score

10^/10

quasar v2.2.6 | tinsler spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Shadow-Stealer.bat

Resource

win11-20240508-en

quasar v2.2.6 | tinsler spyware trojan

windows11-21h2-x64

23 signatures

1800 seconds

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.6 | Tinsler

C2

throbbing-mountain-09011.pktriot.net:22112

167.71.56.116:22112

throbbing-mountain-09011.pktriot.net:5050

Mutex

cf16a257-7d89-4296-8384-8fca3dbb568f

Attributes

encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
1000

Targets

- Target
  
  Shadow-Stealer.bat
- Size
  
  12.5MB
- MD5
  
  cf5b412ffc3ce43cd7ddce602fc67f56
- SHA1
  
  221dfcd0868158f676c472d8a5bcf9647f0c7d51
- SHA256
  
  84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
- SHA512
  
  695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
- SSDEEP
  
  49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b
Score

10^/10

quasar v2.2.6 | tinsler spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarv2.2.6 | tinslerspywaretrojan

© 2018-2024

Terms | Privacy