quasar | 57e13460fbe54a3cc57d9abfaf6ef9a9c3c2d804230e4df7d8f97408501e7dfa | Triage

Sharing

General

Target

BRUH_QUASAR.exe
Size

3.1MB
Sample

240601-we3naaah32
MD5

24a82c21233460c9796a86c7857a2adf
SHA1

88017202e84f8d0174caa451bbebd64401ae8032
SHA256

57e13460fbe54a3cc57d9abfaf6ef9a9c3c2d804230e4df7d8f97408501e7dfa
SHA512

32aa12d6dfe90c7dbe2c8f82d60d92e649d381b365c7cc7493526693257d5f859ea8ae5b8b6424193f5465aac76bf210415949ea7b18965644b01f27f38f47a1
SSDEEP

98304:ifNEOWyKYuMQ+xuMiTMBzOKYLSmPX1qadpu4IdXeYbsjeveyYHHY8evKe5Xfc9Oe:AfNuMiTNKYmmPX1qadpu4IdXeYbsjevK

Score

10^/10

quasar remcos $oxy collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

$OXY

C2

193.34.77.154:4782

Mutex

fc050dca-72e2-474b-873c-c6835aec5c39

Attributes

encryption_key
7F75A06DDBDADB13C7843DF2026145379D75E4DA
install_name
$OXY_EXE.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$OXY_START
subdirectory
$OXY_SUB

Extracted

Family

remcos

Botnet

$OXY

C2

193.34.77.154:9872

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
2
copy_file
$OXY.exe
copy_folder
$OXY
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
$OXYlogs.dat
keylog_flag
false
keylog_folder
$OXY
keylog_path
%WinDir%\System32
mouse_option
false
mutex
$OXY-6JA1WZ
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
$OXY_Screenshots
screenshot_path
%WinDir%\System32
screenshot_time
120
startup_value
$OXY
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  BRUH_QUASAR.exe
- Size
  
  3.1MB
- MD5
  
  24a82c21233460c9796a86c7857a2adf
- SHA1
  
  88017202e84f8d0174caa451bbebd64401ae8032
- SHA256
  
  57e13460fbe54a3cc57d9abfaf6ef9a9c3c2d804230e4df7d8f97408501e7dfa
- SHA512
  
  32aa12d6dfe90c7dbe2c8f82d60d92e649d381b365c7cc7493526693257d5f859ea8ae5b8b6424193f5465aac76bf210415949ea7b18965644b01f27f38f47a1
- SSDEEP
  
  98304:ifNEOWyKYuMQ+xuMiTMBzOKYLSmPX1qadpu4IdXeYbsjeveyYHHY8evKe5Xfc9Oe:AfNuMiTNKYmmPX1qadpu4IdXeYbsjevK
Score

10^/10

quasar remcos $oxy collection persistence rat spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarremcos$oxycollectionpersistenceratspywarestealertrojan