quasar | e38b8f0ae53c24d62f7b0580891be2bfc4a3c855dcf2ee01fc64c0439777bdc9 | Triage

Sharing

General

Target

Pix_id8680.js
Size

18KB
Sample

240724-bb5m9aydpm
MD5

1311ee7d5350ada4e1670432f2f2618f
SHA1

e25c980202fcdf06511734c37ca703e012626c62
SHA256

e38b8f0ae53c24d62f7b0580891be2bfc4a3c855dcf2ee01fc64c0439777bdc9
SHA512

187f23f3a381563c2eeb9c273ddd34bd9c044283579f6000a1dc6595a62aa50cf4faa28f644107140f66a8e234bf5258bfcc30930c70143edcdf966c747a814a
SSDEEP

384:PnmDxlzTVyhWrKLDrRX/Y3CBOj0xDusFM623U84:vmDxvVQrB/YSBOj0xKsMlH4

Score

10^/10

quasar recomeco defense_evasion discovery execution persistence spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/gk5zDwdG

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Recomeco

C2

15.235.61.212:5552

Mutex

rQp3LFG3Jkv7ob8MOH

Attributes

encryption_key
VYA1GjjnuckdAWisXsLT
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Targets

- Target
  
  Pix_id8680.js
- Size
  
  18KB
- MD5
  
  1311ee7d5350ada4e1670432f2f2618f
- SHA1
  
  e25c980202fcdf06511734c37ca703e012626c62
- SHA256
  
  e38b8f0ae53c24d62f7b0580891be2bfc4a3c855dcf2ee01fc64c0439777bdc9
- SHA512
  
  187f23f3a381563c2eeb9c273ddd34bd9c044283579f6000a1dc6595a62aa50cf4faa28f644107140f66a8e234bf5258bfcc30930c70143edcdf966c747a814a
- SSDEEP
  
  384:PnmDxlzTVyhWrKLDrRX/Y3CBOj0xDusFM623U84:vmDxvVQrB/YSBOj0xKsMlH4
Score

10^/10

execution quasar recomeco defense_evasion discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarrecomecodefense_evasiondiscoveryexecutionpersistencespywaretrojan