quasar | 8c2ac7c0542810307230fba2f195317d0251fc253ec71b4b88216eba747db8c7 | Triage

Submit
Reports

Overview

overview

Static

static

3

a9b5fb701a...18.exe

windows7-x64

a9b5fb701a...18.exe

windows10-2004-x64

Sharing

General

Target

a9b5fb701a6d8bdb6a96bc14e07f74d4_JaffaCakes118
Size

1.7MB
Sample

240614-ptxl9avclq
MD5

a9b5fb701a6d8bdb6a96bc14e07f74d4
SHA1

d9f58e932885f3b46af2386899640f2796b10027
SHA256

8c2ac7c0542810307230fba2f195317d0251fc253ec71b4b88216eba747db8c7
SHA512

5b35a210abd8f68c24a142a91e64d7578828756d1809364051991981aed37eaf0c3da6cea2470883a9a1e9818441d3c463c6b7df2d4e5085fc38add20ebd8a19
SSDEEP

49152:tXfSL083FMeBQHt1C8NBcmPHy7es6028igRe0:xS1GJHt46Bxv1gRe0

Score

10^/10

quasar persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a9b5fb701a6d8bdb6a96bc14e07f74d4_JaffaCakes118.exe

Resource

win7-20231129-en

quasar persistence spyware trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

a9b5fb701a6d8bdb6a96bc14e07f74d4_JaffaCakes118.exe

Resource

win10v2004-20240508-en

quasar persistence spyware trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  a9b5fb701a6d8bdb6a96bc14e07f74d4_JaffaCakes118
- Size
  
  1.7MB
- MD5
  
  a9b5fb701a6d8bdb6a96bc14e07f74d4
- SHA1
  
  d9f58e932885f3b46af2386899640f2796b10027
- SHA256
  
  8c2ac7c0542810307230fba2f195317d0251fc253ec71b4b88216eba747db8c7
- SHA512
  
  5b35a210abd8f68c24a142a91e64d7578828756d1809364051991981aed37eaf0c3da6cea2470883a9a1e9818441d3c463c6b7df2d4e5085fc38add20ebd8a19
- SSDEEP
  
  49152:tXfSL083FMeBQHt1C8NBcmPHy7es6028igRe0:xS1GJHt46Bxv1gRe0
Score

10^/10

quasar persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarpersistencespywaretrojan

behavioral2

quasarpersistencespywaretrojan

© 2018-2024

Terms | Privacy