quasar | 2924eb7ce3f424a385b71823017af1b572fe19e8c91fdf1be26a712891f57a74 | Triage

Submit
Reports

Overview

overview

Static

static

3

WaveCracked.exe

windows10-1703-x64

Sharing

General

Target

WaveCracked.exe
Size

17.8MB
Sample

240717-pg92tatbng
MD5

befc855906a931a247dac42f51f94dcc
SHA1

d0c611c614a9697b10c6f58c9dc91c0e12670b25
SHA256

2924eb7ce3f424a385b71823017af1b572fe19e8c91fdf1be26a712891f57a74
SHA512

cdcdb109e2170ea4d878e8080a3227efe3c1e658226740f82c11c0e2a8df97328d31f1293b3ab8568af91fd39ea2fbe283fbe41d8875d8ef4ac5d051cb77168b
SSDEEP

393216:E7TliC76u0Mz6VzVgqd5kTiy9o9KNHkzMmsW0W3WWRqusbMGCNFxHWN:YiC76u0M6VGqcTiChWAjBZMGyF2

Score

10^/10

quasar umbral steam defense_evasion pyinstaller spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

WaveCracked.exe

Resource

win10-20240404-en

quasar umbral steam defense_evasion pyinstaller spyware stealer trojan

windows10-1703-x64

25 signatures

1800 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Steam

C2

20.ip.gl.ply.gg:55257

Mutex

15d4edb7-40c0-4a95-9dc8-8fe93071bce0

Attributes

encryption_key
F1B995FFCFBEAA3218870A13F82413DC65D82218
install_name
Steam.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SteamClient
subdirectory
%appdata%

Targets

- Target
  
  WaveCracked.exe
- Size
  
  17.8MB
- MD5
  
  befc855906a931a247dac42f51f94dcc
- SHA1
  
  d0c611c614a9697b10c6f58c9dc91c0e12670b25
- SHA256
  
  2924eb7ce3f424a385b71823017af1b572fe19e8c91fdf1be26a712891f57a74
- SHA512
  
  cdcdb109e2170ea4d878e8080a3227efe3c1e658226740f82c11c0e2a8df97328d31f1293b3ab8568af91fd39ea2fbe283fbe41d8875d8ef4ac5d051cb77168b
- SSDEEP
  
  393216:E7TliC76u0Mz6VzVgqd5kTiy9o9KNHkzMmsW0W3WWRqusbMGCNFxHWN:YiC76u0M6VGqcTiChWAjBZMGyF2
Score

10^/10

quasar umbral steam defense_evasion pyinstaller spyware stealer trojan
- Detect Umbral payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarumbralsteamdefense_evasionpyinstallerspywarestealertrojan

© 2018-2024

Terms | Privacy