quasar | 9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a | Triage

Submit
Reports

Overview

overview

Static

static

3

8c48c8c45d...18.exe

windows7-x64

8c48c8c45d...18.exe

windows10-2004-x64

Sharing

General

Target

8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118
Size

718KB
Sample

240602-ak621acf42
MD5

8c48c8c45d7f3bdd3c888a1c75fa9b27
SHA1

1d212ea492feb0c4695745d51ac0ac2e9fb7b2b5
SHA256

9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a
SHA512

f2a4a77bdb4a3ce39eda27121dfe01f71f91cd3d89b52098c71140fa89b3b89259a9c5e3323953ac332d42af2df1ef0eebe9801a25749b4965bf635c1a841deb
SSDEEP

12288:XEv8FVujUpVTWgThfJ614X5p/iYHI0Oq8M0oko8ZiFhDF8KSpTTj/XL817n3WGhs:XEEbuQ9WmD1HITPTnXL81LDhhWeOqJEx

Score

10^/10

quasar svchost spyware trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe

Resource

win7-20240215-en

quasar svchost spyware trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118.exe

Resource

win10v2004-20240508-en

quasar svchost spyware trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

svchost

C2

scvhosts.duckdns.org:1604

Mutex

QSR_MUTEX_InsAUB54MmLlzTys9a

Attributes

encryption_key
pOXtQTNjkHXEe8G4lu1f
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Svchost
subdirectory
svchost

Targets

- Target
  
  8c48c8c45d7f3bdd3c888a1c75fa9b27_JaffaCakes118
- Size
  
  718KB
- MD5
  
  8c48c8c45d7f3bdd3c888a1c75fa9b27
- SHA1
  
  1d212ea492feb0c4695745d51ac0ac2e9fb7b2b5
- SHA256
  
  9aab35f222f2953738e83432940f14af4e12e72a741f80fa5dec7d0197ed6e7a
- SHA512
  
  f2a4a77bdb4a3ce39eda27121dfe01f71f91cd3d89b52098c71140fa89b3b89259a9c5e3323953ac332d42af2df1ef0eebe9801a25749b4965bf635c1a841deb
- SSDEEP
  
  12288:XEv8FVujUpVTWgThfJ614X5p/iYHI0Oq8M0oko8ZiFhDF8KSpTTj/XL817n3WGhs:XEEbuQ9WmD1HITPTnXL81LDhhWeOqJEx
Score

10^/10

quasar svchost spyware trojan upx
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarsvchostspywaretrojanupx

behavioral2

quasarsvchostspywaretrojanupx

© 2018-2024

Terms | Privacy