quasar | 6f9865911d6878366ce10e06b5e5a6b04897df18c1c3ebfb73de573467720fb7 | Triage

Submit
Reports

Overview

overview

Static

static

svchost.exe

windows10-2004-x64

svchost.exe

windows11-21h2-x64

Sharing

General

Target

svchost.exe
Size

409KB
Sample

240606-n6z3gadh21
MD5

499ab44b3be0e431ee482c016f423b2f
SHA1

8f3fc11724012b202a6e78211a7bf4e323edb53f
SHA256

6f9865911d6878366ce10e06b5e5a6b04897df18c1c3ebfb73de573467720fb7
SHA512

54b2612624b4310d8e0c1f571a7b7a10fb2948eed9929b7fed50a8b10155ef10c541e1239c59a75e179c0705b9d27a770f5d37b8c254b00c659f1af3c5d55309
SSDEEP

6144:xMs9p1kREG60olUijSoNDu3MH6FFIUk6SsFbP7UIYQkG19asz6+MQ6M:dpiREGJHijSomjIoft7UIYxGHdmQ6M

Score

10^/10

quasar seroxen | v3.1.5 |spyware trojan

Static task

static1

seroxen | v3.1.5 |quasar

3 signatures

Behavioral task

behavioral1

Sample

svchost.exe

Resource

win10v2004-20240508-en

quasar seroxen | v3.1.5 |spyware trojan

windows10-2004-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

svchost.exe

Resource

win11-20240426-en

quasar seroxen | v3.1.5 |spyware trojan

windows11-21h2-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

dating-mpegs.gl.at.ply.gg:6566

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes

encryption_key
Nj2uU7r8zbApMgWfD7rz
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  svchost.exe
- Size
  
  409KB
- MD5
  
  499ab44b3be0e431ee482c016f423b2f
- SHA1
  
  8f3fc11724012b202a6e78211a7bf4e323edb53f
- SHA256
  
  6f9865911d6878366ce10e06b5e5a6b04897df18c1c3ebfb73de573467720fb7
- SHA512
  
  54b2612624b4310d8e0c1f571a7b7a10fb2948eed9929b7fed50a8b10155ef10c541e1239c59a75e179c0705b9d27a770f5d37b8c254b00c659f1af3c5d55309
- SSDEEP
  
  6144:xMs9p1kREG60olUijSoNDu3MH6FFIUk6SsFbP7UIYQkG19asz6+MQ6M:dpiREGJHijSomjIoft7UIYxGHdmQ6M
Score

10^/10

quasar seroxen | v3.1.5 |spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

seroxen | v3.1.5 |quasar

behavioral1

quasarseroxen | v3.1.5 |spywaretrojan

behavioral2

quasarseroxen | v3.1.5 |spywaretrojan

© 2018-2024

Terms | Privacy