quasar | 7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64

General

Target

$sxr-Uni2.bat
Size

796KB
Sample

240531-2f92msgf95
MD5

03137a8d9aaa39d4266d6cafecc5ccb2
SHA1

65ab5f05615d7aeb12a8f64f2339af341172784d
SHA256

7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64
SHA512

a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226
SSDEEP

12288:sJOiyoo1m8Y8HvatsI8a0XNQ7UCPWa/9SC+KSXs+kYWjJ4rT+/mq6z4Q4uatxyG:sciyK8YzJ8BwUCPTwC+KysEWjG+D6l4b

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

127.0.0.1:4782

Mutex

$Sxr-mRtuuIZppUEbmX171W

Attributes

encryption_key
s5xN6p335pnxD0WJMnnQ
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  $sxr-Uni2.bat
- Size
  
  796KB
- MD5
  
  03137a8d9aaa39d4266d6cafecc5ccb2
- SHA1
  
  65ab5f05615d7aeb12a8f64f2339af341172784d
- SHA256
  
  7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64
- SHA512
  
  a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226
- SSDEEP
  
  12288:sJOiyoo1m8Y8HvatsI8a0XNQ7UCPWa/9SC+KSXs+kYWjJ4rT+/mq6z4Q4uatxyG:sciyK8YzJ8BwUCPTwC+KysEWjG+D6l4b
Score

10^/10

quasar slave execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3