quasar | f0c179b8db5374fa9c4ef639b24bbc363cc99843bfaef5709db2dfb716ce26ba | Triage

Submit
Reports

Overview

overview

Static

static

3

atikmdag-p...er.exe

windows7-x64

7

atikmdag-p...er.exe

windows10-2004-x64

Sharing

General

Target

f0c179b8db5374fa9c4ef639b24bbc363cc99843bfaef5709db2dfb716ce26ba
Size

4.0MB
Sample

240605-mj4xgadh59
MD5

1980f26b8bb4d1bab28e14e9fba92a66
SHA1

1a8407e4ce990e69e00b70906f3ef76b24c7d2d7
SHA256

f0c179b8db5374fa9c4ef639b24bbc363cc99843bfaef5709db2dfb716ce26ba
SHA512

059abc42faacd9e8c96955e5dabc123a5cb0a9ff4995caeefab399b0e20cfb366789af6a3cdd56ac52aaba480bfedd516968c54a10d490bef15a94fcebf8901c
SSDEEP

98304:jJnn4s9iZhey5dO/fZb4ylKR/ZSuo34OGIEWutWMKVPAr:tnn4QOsIdsfZb4yKR/ZQ34/FWq4VPAr

Score

10^/10

quasar redline office infostealer spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

atikmdag-patcher-1.4.14/atikmdag-patcher.exe

Resource

win7-20240215-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

atikmdag-patcher-1.4.14/atikmdag-patcher.exe

Resource

win10v2004-20240508-en

quasar redline office infostealer spyware trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

135.181.235.186:2424

Mutex

vLjWia7oT7CKQjEfGEyguygtygygg

Attributes

encryption_key
YwwSXy4xT39hdTVPGX0J
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  atikmdag-patcher-1.4.14/atikmdag-patcher.exe
- Size
  
  3.0MB
- MD5
  
  0e1cb5a76b5ed8013332712c9be3c61a
- SHA1
  
  b71e495ba56e1674ad202251dfa906767f011f86
- SHA256
  
  d98c1c6860f88f670d6a2bcce2736cc7294d88c9ca55d3b9306e784c5f336d37
- SHA512
  
  afb6346855cea9309f58c2c1c2ed89a0ef1a679209e75509e922477571b038349484789f4bd179446629b15e4034625bbbc43ff064cce124d52f27933391907a
- SSDEEP
  
  49152:Rdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEj9333cSP:CHDYsqiPRhINnq95FoHVB9333cO
Score

10^/10

quasar redline office infostealer spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

quasarredlineofficeinfostealerspywaretrojan

© 2018-2024

Terms | Privacy