quasar | 900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd | Triage

Submit
Reports

Overview

overview

Static

static

svchost.exe

windows7-x64

svchost.exe

windows10-2004-x64

Sharing

General

Target

svchost.exe
Size

3.1MB
Sample

240602-rgg25sfb66
MD5

26959ef393fbd309059d5e43041c4fb6
SHA1

c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42
SHA256

900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd
SHA512

8f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d
SSDEEP

49152:Ov8t62XlaSFNWPjljiFa2RoUYITUZ3larzLoGdOTHHB72eh2NT:OvA62XlaSFNWPjljiFXRoUYIK3G

Score

10^/10

quasar office04 spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

svchost.exe

Resource

win7-20240221-en

quasar office04 spyware trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

svchost.exe

Resource

win10v2004-20240426-en

quasar office04 spyware trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

5.tcp.eu.ngrok.io:10972

Mutex

b028487a-6e45-4b66-9e91-3d4903e32b6c

Attributes

encryption_key
91137B461EAD4C8D03DB7ED595191162855E87F2
install_name
DRIVER32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DRIVER32
subdirectory
SYSWOW

Targets

- Target
  
  svchost.exe
- Size
  
  3.1MB
- MD5
  
  26959ef393fbd309059d5e43041c4fb6
- SHA1
  
  c3ce55ccf75e8f505bc5ff0b3013a9ae54904b42
- SHA256
  
  900e126e8d56ee42be9bf08c083366e7b4d1ce8d4764ab70e8c45f1fa73a75cd
- SHA512
  
  8f87ac4586e538e7adf399eda06c7565e628baab961b23c11f5f4cf24c1439014c7d83f9725d3494910227f78074d0bc2899b9e35040f04a9f53bcc15700f03d
- SSDEEP
  
  49152:Ov8t62XlaSFNWPjljiFa2RoUYITUZ3larzLoGdOTHHB72eh2NT:OvA62XlaSFNWPjljiFXRoUYIK3G
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04spywaretrojan

behavioral2

quasaroffice04spywaretrojan

© 2018-2024

Terms | Privacy