quasar | e2e708e09031d7fa512f31ca4d6b10d0e48df7aff2a5b889477e792c6847a90c

Sharing

Copy URL

Twitter E-mail

General

Target

343434.zip
Size

2.5MB
Sample

240913-xlnndatbra
MD5

c72bc91852793ad0fa7be4cd508ac3fc
SHA1

3b4e7a006419e35bacf1917fafc608ae581b0092
SHA256

e2e708e09031d7fa512f31ca4d6b10d0e48df7aff2a5b889477e792c6847a90c
SHA512

3bb4e450c342ab9cc0736a59b1391a529bcce77da5a59297ae943aba5a9393157a711cb5701b4fcfdd68d077211b32e8cac6f9627e4d46fcae033c1f24319110
SSDEEP

24576:JLgsYbcLgsYbNLgsYb6LgsYbcLgsYbRLgsYbF:JLTL+LRLnLALS

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

gimp1

193.42.33.210:4444

gimpdns.ddns.net:4444

Mutex

QSR_MUTEX_XwuUSTCgYhmnf6vJ1L

Attributes

encryption_key
lRzFKjYQKUKzh6RyUYYQ
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Targets

- Target
  
  AuroraALPHABUILD.0-6 - Copy (2).exe
- Size
  
  231.7MB
- MD5
  
  3cda647a8948f3ac4df14abf6f1d62c1
- SHA1
  
  f4da28914a3938e7de76546bcf911f539672459a
- SHA256
  
  c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
- SHA512
  
  77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
- SSDEEP
  
  6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
Score

10^/10

quasar gimp1 discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  AuroraALPHABUILD.0-6 - Copy (3).exe
- Size
  
  231.7MB
- MD5
  
  3cda647a8948f3ac4df14abf6f1d62c1
- SHA1
  
  f4da28914a3938e7de76546bcf911f539672459a
- SHA256
  
  c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
- SHA512
  
  77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
- SSDEEP
  
  6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
Score

10^/10

quasar gimp1 discovery persistence spyware trojan lateral_movement
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Remote Services: SMB/Windows Admin Shares
  Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
  lateral_movement
- Drops file in System32 directory
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  AuroraALPHABUILD.0-6 - Copy (4).exe
- Size
  
  231.7MB
- MD5
  
  3cda647a8948f3ac4df14abf6f1d62c1
- SHA1
  
  f4da28914a3938e7de76546bcf911f539672459a
- SHA256
  
  c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
- SHA512
  
  77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
- SSDEEP
  
  6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
Score

10^/10

quasar gimp1 discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral11 behavioral12 behavioral9
- Target
  
  AuroraALPHABUILD.0-6 - Copy (5).exe
- Size
  
  231.7MB
- MD5
  
  3cda647a8948f3ac4df14abf6f1d62c1
- SHA1
  
  f4da28914a3938e7de76546bcf911f539672459a
- SHA256
  
  c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1
- SHA512
  
  77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd
- SSDEEP
  
  6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
Score

10^/10

quasar gimp1 discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral13 behavioral14 behavioral15 behavioral16
- Target
  
  AuroraALPHABUILD.0-6 - Copy.exe
- Size
  
  97.0MB
- MD5
  
  2b36c87327d49e2509816b80b90deb84
- SHA1
  
  9bd6b6edd4be18c825ea0c22210b7751849afcf3
- SHA256
  
  e809d65888127e63049885ba4fb12bcfba0ae6726e13197eb38975b73cd6019c
- SHA512
  
  f8ed673f8b67e0233ca6d390a244e7dfce1771e70979f231e140e060d8c124de69db77e487fb54baacadca19dd0a51be9a3eff8b1f4dfb36359c1435ab93eee2
- SSDEEP
  
  6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc
Score

10^/10

quasar gimp1 discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17 behavioral18 behavioral19 behavioral20