quasar | 6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa

Sharing

Copy URL

Twitter E-mail

General

Target

Password_Is_MadeByBKA.rar
Size

9.3MB
Sample

240818-qv2s2aydjj
MD5

5a23736751d69efa3f8ddde7e1a21b50
SHA1

d4e164b257e3045b9def50cb8374709482b91342
SHA256

6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa
SHA512

e10aec6a64955a104e91df59c6a29151b77ba24a818234f4350b6a8247e99dd4de58a4744ac080b9c8bea63400879f24f8eecc3ad802bfa6e41d82420d66b0a9
SSDEEP

196608:DStfDf00BEGl+DiBzifd4bfAbeY1dtx1SkvWcBbvX5dd38UneuendDvItO4:2l1BUDiBzil4bfADnDBt374ig4

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | VanillaRAT

163.5.215.216:4782

Mutex

cbadd9b5-ddec-4242-bf61-1d311f862dd3

Attributes

encryption_key
1C7D50D49C8CFBD67416B7A7C9CD3F45FD94217E
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000

Targets

- Target
  
  Release/Handlers/Handler.bat
- Size
  
  12.7MB
- MD5
  
  e154d92aa7ecd7728940f32bb2c82cc6
- SHA1
  
  b004e191ae993b3deab2d77c6f99c64e5de55672
- SHA256
  
  37be53a96145cd6ad7557e95d85a256377af9d9e126538a4733ebde178254cc5
- SHA512
  
  b8b822fc4d8295a59700b7750fff7841f56ed877207e622dd7d7b0435ce737f212d5f754c95f2329b87e83c1ae796b07724276473256d8787f0f87b1871121e4
- SSDEEP
  
  49152:Fh5PUtdFBcAJU7Ygqef4u6NE6BGzp3OtWxgusC7QG5r0Wn9O3oGpWJtPS1P8keqj:4
Score

10^/10

defense_evasion quasar v2.2.5 | vanillarat discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  Release/VanillaRat.exe
- Size
  
  1.7MB
- MD5
  
  59fea74c326c7e496617bb45bdfbcc00
- SHA1
  
  7c0dd54592857eed1cb068e24315b2bbe7511b76
- SHA256
  
  9b6dcbe8df1be5241a40987a416e896737a7442db492e9df8413277835fb766d
- SHA512
  
  443005543a476b0c3ef4744ba0b7075185cf0ae80783c06f98ee2845872c54ad2ee6d69810acaed692720b5ad19129935b751e45ac8725b050ccca5b94ecc6ba
- SSDEEP
  
  24576:Lz2qwZHZd2PjnRh3Xz2DrtasSA7ZUNnbkAqE6joUZ57W:f2qw+nYVZY6jog
Score

10^/10

execution defense_evasion quasar v2.2.5 | vanillarat discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral5 behavioral6 behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Window

T1564.003

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Loads dropped DLL

Hide Artifacts: Hidden Window

Suspicious use of SetThreadContext

Quasar RAT

Quasar payload

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Loads dropped DLL

Hide Artifacts: Hidden Window

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8