quasar | 212041e0721657d19e29bf71ee058b9b0758adb113440aefac2275eab673440d | Triage

Submit
Reports

Overview

overview

Static

static

1

Loli.bat

windows10-2004-x64

Sharing

General

Target

Loli.bat
Size

3.8MB
Sample

240611-gf456swgnd
MD5

e4889d99388cceea3c907355304aae89
SHA1

eb257905a6b26999c8669b2dfd6514cbb58dbc24
SHA256

212041e0721657d19e29bf71ee058b9b0758adb113440aefac2275eab673440d
SHA512

dd2b2eeec89efbd64c3d38a1d767285bfe0fce5d63c0bd526d1638a4b05c85b77f61023dac7e3c3ea4c5e83673b1c43fbed3c9ab006783c185a6a4374d088a32
SSDEEP

49152:uQY5eZkygGG7xcLoUZvL/eEBeQOoKB5BQD8WChHHdxFh:W

Score

10^/10

quasar agilenet execution persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Loli.bat

Resource

win10v2004-20240508-en

quasar agilenet execution persistence spyware trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
E2FB9900B23756E2DDF30B24E44B0961BA7B0F9C
reconnect_delay
3000

Targets

- Target
  
  Loli.bat
- Size
  
  3.8MB
- MD5
  
  e4889d99388cceea3c907355304aae89
- SHA1
  
  eb257905a6b26999c8669b2dfd6514cbb58dbc24
- SHA256
  
  212041e0721657d19e29bf71ee058b9b0758adb113440aefac2275eab673440d
- SHA512
  
  dd2b2eeec89efbd64c3d38a1d767285bfe0fce5d63c0bd526d1638a4b05c85b77f61023dac7e3c3ea4c5e83673b1c43fbed3c9ab006783c185a6a4374d088a32
- SSDEEP
  
  49152:uQY5eZkygGG7xcLoUZvL/eEBeQOoKB5BQD8WChHHdxFh:W
Score

10^/10

quasar agilenet execution persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaragilenetexecutionpersistencespywaretrojan

© 2018-2024

Terms | Privacy