quasar | 5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797 | Triage

Submit
Reports

Overview

overview

Static

static

SeroXenLauncher.exe

windows7-x64

SeroXenLauncher.exe

windows10-2004-x64

Sharing

General

Target

SeroXenLauncher.bat
Size

409KB
Sample

240702-bbh49atgrp
MD5

54d920888e6066870191f44fe0b27206
SHA1

87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e
SHA256

5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797
SHA512

4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d
SSDEEP

6144:EM7Cp8XlizQNOa/YzLU+RefWtEOag0vQUvb3pOMZ97iJcfaohEt2+4nQQ:4pQl4QR/2LU+RefW7qg27iC+t0nQQ

Score

10^/10

quasar umbral seroxen execution spyware stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

SeroXenLauncher.exe

Resource

win7-20240611-en

quasar umbral seroxen execution spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

SeroXenLauncher.exe

Resource

win10v2004-20240611-en

quasar seroxen spyware trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

127.0.0.1:4782

browser-julia.gl.at.ply.gg:54488

Mutex

$Sxr-GV6wZsGZZMeZ3qfenc

Attributes

encryption_key
KH74MFPau2OXY0OqPzU8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1257452635888423017/-MpHtN8_KQyb61HJqaai1yrkmHQG75b_w1I_FDSgXUCXHSAsskj1fAM-GezxYcBKnRgl

Targets

- Target
  
  SeroXenLauncher.bat
- Size
  
  409KB
- MD5
  
  54d920888e6066870191f44fe0b27206
- SHA1
  
  87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e
- SHA256
  
  5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797
- SHA512
  
  4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d
- SSDEEP
  
  6144:EM7Cp8XlizQNOa/YzLU+RefWtEOag0vQUvb3pOMZ97iJcfaohEt2+4nQQ:4pQl4QR/2LU+RefW7qg27iC+t0nQQ
Score

10^/10

quasar umbral seroxen execution spyware stealer trojan
- Detect Umbral payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarumbralseroxenexecutionspywarestealertrojan

behavioral2

quasarseroxenspywaretrojan

© 2018-2024

Terms | Privacy