quasar | ef70e618b652c777b3b2e589d1381bda6c7e49e7f2510334257c1e2add139045 | Triage

Submit
Reports

Overview

overview

Static

static

1

Space Paid v2.bat

windows10-1703-x64

Space Paid v2.bat

windows10-2004-x64

Space Paid v2.bat

windows11-21h2-x64

Sharing

General

Target

Space Paid v2.bat
Size

586KB
Sample

240611-y6bpzszgpg
MD5

a5c3bef843c9d6022db92547f32855d1
SHA1

816338da7ee45d496f39bbd36c6b106ee0b3e2fe
SHA256

ef70e618b652c777b3b2e589d1381bda6c7e49e7f2510334257c1e2add139045
SHA512

0e44e31275a89f29388418538f57cb3437ad1d24f08d0c3c7d85a1a906c5b212024f2960237b66e3f2838923497e82f198ad8c4ed0b34548190e6db03504f1bd
SSDEEP

12288:aAjiyOzsNdeAKQ1pCTt/dMpEncClHel1wF2sEyutyF7Pd8CM:aA+yOYHlKopC/62caqT+d8R

Score

10^/10

quasar slave execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Space Paid v2.bat

Resource

win10-20240404-en

quasar slave execution spyware trojan

windows10-1703-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Space Paid v2.bat

Resource

win10v2004-20240611-en

quasar slave execution spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Behavioral task

behavioral3

Sample

Space Paid v2.bat

Resource

win11-20240508-en

quasar slave execution spyware trojan

windows11-21h2-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.0.0

Botnet

Slave

C2

runderscore00-63294.portmap.host:63294

Mutex

QSR_MUTEX_KJSikjqkjc5AYGioTK

Attributes

encryption_key
bU53s6xktYcC9aQVfouV
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  Space Paid v2.bat
- Size
  
  586KB
- MD5
  
  a5c3bef843c9d6022db92547f32855d1
- SHA1
  
  816338da7ee45d496f39bbd36c6b106ee0b3e2fe
- SHA256
  
  ef70e618b652c777b3b2e589d1381bda6c7e49e7f2510334257c1e2add139045
- SHA512
  
  0e44e31275a89f29388418538f57cb3437ad1d24f08d0c3c7d85a1a906c5b212024f2960237b66e3f2838923497e82f198ad8c4ed0b34548190e6db03504f1bd
- SSDEEP
  
  12288:aAjiyOzsNdeAKQ1pCTt/dMpEncClHel1wF2sEyutyF7Pd8CM:aA+yOYHlKopC/62caqT+d8R
Score

10^/10

quasar slave execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarslaveexecutionspywaretrojan

behavioral2

quasarslaveexecutionspywaretrojan

behavioral3

quasarslaveexecutionspywaretrojan

© 2018-2024

Terms | Privacy