quasar | b43a7d061f8f4f8a51a0dbd558491600a5f1693f642a2033d7a5292e1b8dcbc0 | Triage

Submit
Reports

Overview

overview

Static

static

1

win.bat

windows10-2004-x64

Sharing

General

Target

win.bat
Size

585KB
Sample

240611-21aghsvgnd
MD5

f377b5767f571bf7cda462e24789c235
SHA1

9bd0227755d378a1de1f664aad91699ffe4a8ec4
SHA256

b43a7d061f8f4f8a51a0dbd558491600a5f1693f642a2033d7a5292e1b8dcbc0
SHA512

f24b0a6282c75cf496c2edd37c925ce08be11bbe319852bd54b0152f968dc1c75cd91692ecbb9c60025eba0609ecd88ea0463aa3189a4a9ced91e5ea9fe3e37c
SSDEEP

12288:raJm+Yth2zVMa7rY0GUe6P1+DJLp88u0rEl4EBjBly7y9p84iQ5be2v3K97HpGv:O8hmVUUeQ+DDu0Il4EBry78qhQZJaFp+

Score

10^/10

quasar retard execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

win.bat

Resource

win10v2004-20240426-en

quasar retard execution spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Retard

C2

looking-memphis.gl.at.ply.gg:45119

Mutex

QSR_MUTEX_NdVmtbzKaAsjfD9IEq

Attributes

encryption_key
QtqJRs7xO06fGK1rIZkn
install_name
wind.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  win.bat
- Size
  
  585KB
- MD5
  
  f377b5767f571bf7cda462e24789c235
- SHA1
  
  9bd0227755d378a1de1f664aad91699ffe4a8ec4
- SHA256
  
  b43a7d061f8f4f8a51a0dbd558491600a5f1693f642a2033d7a5292e1b8dcbc0
- SHA512
  
  f24b0a6282c75cf496c2edd37c925ce08be11bbe319852bd54b0152f968dc1c75cd91692ecbb9c60025eba0609ecd88ea0463aa3189a4a9ced91e5ea9fe3e37c
- SSDEEP
  
  12288:raJm+Yth2zVMa7rY0GUe6P1+DJLp88u0rEl4EBjBly7y9p84iQ5be2v3K97HpGv:O8hmVUUeQ+DDu0Il4EBry78qhQZJaFp+
Score

10^/10

quasar retard execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarretardexecutionspywaretrojan

© 2018-2024

Terms | Privacy