quasar | 343ede22fe4ea40332033bb21aa899d9adbc2bacbae9fdddeb1380f8f47b3554 | Triage

Submit
Reports

Overview

overview

Static

static

3

873a1e2ab5...cs.exe

windows7-x64

1

873a1e2ab5...cs.exe

windows10-2004-x64

Sharing

General

Target

873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe
Size

12KB
Sample

240608-dtlzzagb9x
MD5

873a1e2ab5cd98979796cc8b3c3f66f0
SHA1

6718139b5d776255705f629a6401796c51eece6f
SHA256

343ede22fe4ea40332033bb21aa899d9adbc2bacbae9fdddeb1380f8f47b3554
SHA512

4c8bd119704358f7dd0170fb49fae206ef2f896c6bea689e3be747134b89c7738c0568eed31fc36666912505cb389608c3c88dd81b4662f0a60fb7811050e458
SSDEEP

192:hV2bkl73eFDvjyNaWjpC5+ZLbaYWL3RmmxWyQVLSLrLQv88VsemfMSEsYz:ykV3eFDvjmLiLhmmxWyQVLSLrL08us9G

Score

10^/10

quasar dilly evasion spyware themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe

Resource

win7-20240221-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

quasar dilly evasion spyware themida trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

dilly

C2

lvke-45989.portmap.host:45989

Mutex

0cb49dc2-fd0d-4581-ae1e-04154c41f310

Attributes

encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
install_name
defenderx64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Helper
subdirectory
en

Targets

- Target
  
  873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe
- Size
  
  12KB
- MD5
  
  873a1e2ab5cd98979796cc8b3c3f66f0
- SHA1
  
  6718139b5d776255705f629a6401796c51eece6f
- SHA256
  
  343ede22fe4ea40332033bb21aa899d9adbc2bacbae9fdddeb1380f8f47b3554
- SHA512
  
  4c8bd119704358f7dd0170fb49fae206ef2f896c6bea689e3be747134b89c7738c0568eed31fc36666912505cb389608c3c88dd81b4662f0a60fb7811050e458
- SSDEEP
  
  192:hV2bkl73eFDvjyNaWjpC5+ZLbaYWL3RmmxWyQVLSLrLQv88VsemfMSEsYz:ykV3eFDvjmLiLhmmxWyQVLSLrL08us9G
Score

10^/10

quasar dilly evasion spyware themida trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasardillyevasionspywarethemidatrojan

© 2018-2024

Terms | Privacy