quasar | abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03 | Triage

Submit
Reports

Overview

overview

Static

static

3

Build.exe

windows7-x64

6

Build.exe

windows10-2004-x64

Sharing

General

Target

Build.exe
Size

15KB
Sample

240529-jldxaafe2t
MD5

27275853bd5996fb2f3767772d068d56
SHA1

14fb4c3c74870f14af8c4cd7c8eafa81c99c70c2
SHA256

abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03
SHA512

7e05ec050eaea236c04d74042ac1b2d5634e2be0dd3b8807bada25c38f2f758de9cc25d69fcfd5086b949dc74b97ad2401bce9e6db541153cec60e33024cc887
SSDEEP

384:twpcZrxSdohsUVdko8bxjsCa2txgb6P/sxErmM8/ANWUh:mpSk8VOfb2M669Sct

Score

10^/10

quasar office04 execution spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Build.exe

Resource

win7-20231129-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

Build.exe

Resource

win10v2004-20240508-en

quasar office04 execution spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

31.177.108.29:4782

Mutex

553dcf2c-4c70-4c0c-935a-2e078a46f03e

Attributes

encryption_key
DAFF70D249B4EC619D5A052FDD3418E3549FF268
install_name
KR6nDu9fLhop1bFe.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Defender.Process
subdirectory
SubDir

Targets

- Target
  
  Build.exe
- Size
  
  15KB
- MD5
  
  27275853bd5996fb2f3767772d068d56
- SHA1
  
  14fb4c3c74870f14af8c4cd7c8eafa81c99c70c2
- SHA256
  
  abe621c37b2e40f6c6b3d9da15e37d4001188e10bac99e5d66c23cee23b98d03
- SHA512
  
  7e05ec050eaea236c04d74042ac1b2d5634e2be0dd3b8807bada25c38f2f758de9cc25d69fcfd5086b949dc74b97ad2401bce9e6db541153cec60e33024cc887
- SSDEEP
  
  384:twpcZrxSdohsUVdko8bxjsCa2txgb6P/sxErmM8/ANWUh:mpSk8VOfb2M669Sct
Score

10^/10

quasar office04 execution spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

quasaroffice04executionspywarestealertrojan

© 2018-2024

Terms | Privacy