quasar | beb2a7c0eaa4c35c9f9a699417c395d78e9e76ffc790c40e7a0987b8044577e0 | Triage

Submit
Reports

Overview

overview

Static

static

5

87756bf702...18.exe

windows7-x64

87756bf702...18.exe

windows10-2004-x64

Sharing

General

Target

87756bf702699c3df85d5e2f773308ea_JaffaCakes118
Size

1.4MB
Sample

240531-sqjsrscd5w
MD5

87756bf702699c3df85d5e2f773308ea
SHA1

b8797a64796649605e138b45bc5112a07329f1df
SHA256

beb2a7c0eaa4c35c9f9a699417c395d78e9e76ffc790c40e7a0987b8044577e0
SHA512

f16c78308f8686e2cc28408b5265e710ffbe389161ef5c9df9f454c62f5a88c8ae207e859bd6ffa6b990944911b534c7085f70e9bd30e89ad407262d8a91c293
SSDEEP

24576:JAHnh+eWsN3skA4RV1Hom2KXMmHawWv769AZEeFxD3140je8211Wxv14Rf995:Qh+ZkldoPK8Yaw4D1FxRZJgp

Score

10^/10

quasar revengerat office04 execution persistence spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe

Resource

win7-20240221-en

quasar office04 execution persistence spyware trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

87756bf702699c3df85d5e2f773308ea_JaffaCakes118.exe

Resource

win10v2004-20240508-en

quasar revengerat office04 execution persistence spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

brave.webredirect.org:5467

Mutex

Xa8hxCQyVS1H1Wdqe8

Attributes

encryption_key
BLgRDyrND0s3i7A4nwYc
install_name
Micsoft.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Micsoft
subdirectory
Micsoft Updata

Extracted

Family

revengerat

Mutex

Targets

- Target
  
  87756bf702699c3df85d5e2f773308ea_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  87756bf702699c3df85d5e2f773308ea
- SHA1
  
  b8797a64796649605e138b45bc5112a07329f1df
- SHA256
  
  beb2a7c0eaa4c35c9f9a699417c395d78e9e76ffc790c40e7a0987b8044577e0
- SHA512
  
  f16c78308f8686e2cc28408b5265e710ffbe389161ef5c9df9f454c62f5a88c8ae207e859bd6ffa6b990944911b534c7085f70e9bd30e89ad407262d8a91c293
- SSDEEP
  
  24576:JAHnh+eWsN3skA4RV1Hom2KXMmHawWv769AZEeFxD3140je8211Wxv14Rf995:Qh+ZkldoPK8Yaw4D1FxRZJgp
Score

10^/10

quasar office04 execution persistence spyware trojan revengerat stealer
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- RevengeRat Executable
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04executionpersistencespywaretrojan

behavioral2

quasarrevengeratoffice04executionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy