quasar | 0a8c7f13dde48266557795d9b15654f508fa30065740575b2f6be3c2f5b749d1 | Triage

Submit
Reports

Overview

overview

Static

static

1

$phantom-p...ll.bat

windows11-21h2-x64

Sharing

General

Target

$phantom-powershell.bat
Size

586KB
Sample

240607-tnabzsbh33
MD5

be2e3adcd233ea65761c8b188cc0206a
SHA1

2702edee993505b58bb094c6a996bcb67458252a
SHA256

0a8c7f13dde48266557795d9b15654f508fa30065740575b2f6be3c2f5b749d1
SHA512

7de6e0657eed64cc56bdb57ad6cb758ceeda61bbb44c63225ae29ad507d50b7e16cbff2abc2e994da03206593e47c7c858deb7e0698e322e391c37256cd2098a
SSDEEP

12288:RUepamz1Deupz8y/mG1RO4CD6UWFpbocRql3ymCW/MwUpdF8P1:Rfawek/mgR67/HIdF8P1

Score

10^/10

quasar zer0spy execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

$phantom-powershell.bat

Resource

win11-20240426-en

quasar zer0spy execution spyware trojan

windows11-21h2-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Zer0Spy

C2

127.0.0.1:4782

Mutex

QSR_MUTEX_9vwtyaiSuBr8jzh6yA

Attributes

encryption_key
hDMI6Wy4P2AUTiZAh6a2
install_name
$phantom-powershell.exe
log_directory
$phantom-Logs
reconnect_delay
3000
startup_key
Windows PowerShell
subdirectory
$phantom-zer0spy2

Targets

- Target
  
  $phantom-powershell.bat
- Size
  
  586KB
- MD5
  
  be2e3adcd233ea65761c8b188cc0206a
- SHA1
  
  2702edee993505b58bb094c6a996bcb67458252a
- SHA256
  
  0a8c7f13dde48266557795d9b15654f508fa30065740575b2f6be3c2f5b749d1
- SHA512
  
  7de6e0657eed64cc56bdb57ad6cb758ceeda61bbb44c63225ae29ad507d50b7e16cbff2abc2e994da03206593e47c7c858deb7e0698e322e391c37256cd2098a
- SSDEEP
  
  12288:RUepamz1Deupz8y/mG1RO4CD6UWFpbocRql3ymCW/MwUpdF8P1:Rfawek/mgR67/HIdF8P1
Score

10^/10

quasar zer0spy execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarzer0spyexecutionspywaretrojan

© 2018-2024

Terms | Privacy