quasar | 2cb0b6c1f841332c7ba8cadcf7f33765eb4bfc89f32286d3febdc0c0c99bf3fa | Triage

Submit
Reports

Overview

overview

Static

static

3

2af7826b80...cs.exe

windows7-x64

2af7826b80...cs.exe

windows10-2004-x64

Sharing

General

Target

2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe
Size

1.7MB
Sample

240611-g8smvaxemh
MD5

2af7826b803c1f5fba3e23b9b3de82f0
SHA1

9697a486c709cc061ed64ed376cab7d4af122986
SHA256

2cb0b6c1f841332c7ba8cadcf7f33765eb4bfc89f32286d3febdc0c0c99bf3fa
SHA512

119588fbfa918e620fb46103f55909453e1471dd4cb61ce59f1cfb49e8a1d8a837952f820500639207dcef2fb8ea7500e5a0d224f73c51fd9191cd88d3091a7e
SSDEEP

24576:Kr6ZB3xC3Bjut2ERKRJ+ZF3GwvNhi/hPvP6qVj9YuhmqKEJNDA+mFR9br:KmPx0uMEQJ+ZF2UNiFP3SjE8zR1

Score

10^/10

quasar evasion spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe

Resource

win7-20240220-en

quasar evasion spyware trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

quasar evasion spyware trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  2af7826b803c1f5fba3e23b9b3de82f0_NeikiAnalytics.exe
- Size
  
  1.7MB
- MD5
  
  2af7826b803c1f5fba3e23b9b3de82f0
- SHA1
  
  9697a486c709cc061ed64ed376cab7d4af122986
- SHA256
  
  2cb0b6c1f841332c7ba8cadcf7f33765eb4bfc89f32286d3febdc0c0c99bf3fa
- SHA512
  
  119588fbfa918e620fb46103f55909453e1471dd4cb61ce59f1cfb49e8a1d8a837952f820500639207dcef2fb8ea7500e5a0d224f73c51fd9191cd88d3091a7e
- SSDEEP
  
  24576:Kr6ZB3xC3Bjut2ERKRJ+ZF3GwvNhi/hPvP6qVj9YuhmqKEJNDA+mFR9br:KmPx0uMEQJ+ZF2UNiFP3SjE8zR1
Score

10^/10

quasar evasion spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarevasionspywaretrojan

behavioral2

quasarevasionspywaretrojan

© 2018-2024

Terms | Privacy