quasar | e4ef08c926c4dcb650fc2507468dd14d7f342a7773610809a346b32cc66d2b59 | Triage

Submit
Reports

Overview

overview

Static

static

Jakemanloader.exe

windows7-x64

Jakemanloader.exe

windows10-2004-x64

Sharing

General

Target

Jakemanloader.exe
Size

3.1MB
Sample

240619-zy23mswdnm
MD5

85df03293e9fd6fd2bceabcf559d32a5
SHA1

c050c1a7e925d1e2bff05adecccd3c0fec1f00d6
SHA256

e4ef08c926c4dcb650fc2507468dd14d7f342a7773610809a346b32cc66d2b59
SHA512

c4a1c8c8eac076b84b222d1a96af16c846f7a4eac8e77754124f7cb221d70c04df868ccbb3375f3bc8fd81b3fd8e9fc8d7b24dffd6a9ff2cd0180de0f6ea30e8
SSDEEP

49152:ZsS4wA2Glaq5+RPelPedKukZ2UrGZMVgQjhIdoGd+BTHHB72eh2NT:ZsWA2Glaq5+RPelPed3kZ2UrGZMVgV

Score

10^/10

quasar eyewalled spyware trojan

Static task

static1

eyewalled quasar

3 signatures

Behavioral task

behavioral1

Sample

Jakemanloader.exe

Resource

win7-20240221-en

quasar eyewalled spyware trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

Jakemanloader.exe

Resource

win10v2004-20240508-en

quasar eyewalled spyware trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Eyewalled

C2

147.185.221.18:18043

147.185.221.18:1358

Mutex

a3d2b6d9-f229-4f07-a990-dabdf6a10cde

Attributes

encryption_key
C3103FD765C0AA985FB78C6E1C9F042F8C43DE26
install_name
Client.exe
log_directory
Client
reconnect_delay
3001
startup_key
Github.git
subdirectory
Management

Targets

- Target
  
  Jakemanloader.exe
- Size
  
  3.1MB
- MD5
  
  85df03293e9fd6fd2bceabcf559d32a5
- SHA1
  
  c050c1a7e925d1e2bff05adecccd3c0fec1f00d6
- SHA256
  
  e4ef08c926c4dcb650fc2507468dd14d7f342a7773610809a346b32cc66d2b59
- SHA512
  
  c4a1c8c8eac076b84b222d1a96af16c846f7a4eac8e77754124f7cb221d70c04df868ccbb3375f3bc8fd81b3fd8e9fc8d7b24dffd6a9ff2cd0180de0f6ea30e8
- SSDEEP
  
  49152:ZsS4wA2Glaq5+RPelPedKukZ2UrGZMVgQjhIdoGd+BTHHB72eh2NT:ZsWA2Glaq5+RPelPed3kZ2UrGZMVgV
Score

10^/10

quasar eyewalled spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

eyewalledquasar

behavioral1

quasareyewalledspywaretrojan

behavioral2

quasareyewalledspywaretrojan

© 2018-2024

Terms | Privacy