quasar | b11faba7760b0fdb433ab416944a6c420db27216981aee61749f44bb51e61cb8 | Triage

Submit
Reports

Overview

overview

Static

static

Update.exe

windows7-x64

Update.exe

windows10-2004-x64

Sharing

General

Target

Update.exe
Size

413KB
Sample

241020-bt375ssfmj
MD5

1646711c224bff90075c63e282c7a509
SHA1

dcb31c89ea750a0c7f201f0b35ec886d7f56b485
SHA256

b11faba7760b0fdb433ab416944a6c420db27216981aee61749f44bb51e61cb8
SHA512

826a1cf500ae1802bf55e5e73525e6a7c14a9e788c8e779291675b47e0a18424e49e369e39d3861b0e8491d230b5019c8db38632ee16f78a27fa8929c9d007df
SSDEEP

6144:aNmEjkzQT1TVNVSSL+4LuTWhDW3+y4WbjHSKr1MkP+7ZKvxueoLqGGe:i1TVV7ScaYS3vrHSKr1M85vxueoLlGe

Score

10^/10

quasar office04 discovery execution spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

Update.exe

Resource

win7-20240903-en

quasar office04 discovery execution spyware trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Update.exe

Resource

win10v2004-20241007-en

quasar office04 discovery execution spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

C2

late-mills.gl.at.ply.gg:21882

Mutex

$Sxr-H1UAIiBrogH7Kydvmf

Attributes

encryption_key
65yyFHEhMNxs2L9wZOfw
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen Client Startup
subdirectory
SubDir

Targets

- Target
  
  Update.exe
- Size
  
  413KB
- MD5
  
  1646711c224bff90075c63e282c7a509
- SHA1
  
  dcb31c89ea750a0c7f201f0b35ec886d7f56b485
- SHA256
  
  b11faba7760b0fdb433ab416944a6c420db27216981aee61749f44bb51e61cb8
- SHA512
  
  826a1cf500ae1802bf55e5e73525e6a7c14a9e788c8e779291675b47e0a18424e49e369e39d3861b0e8491d230b5019c8db38632ee16f78a27fa8929c9d007df
- SSDEEP
  
  6144:aNmEjkzQT1TVNVSSL+4LuTWhDW3+y4WbjHSKr1MkP+7ZKvxueoLqGGe:i1TVV7ScaYS3vrHSKr1M85vxueoLlGe
Score

10^/10

quasar office04 discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoveryexecutionspywaretrojan

behavioral2

quasaroffice04discoveryexecutionspywaretrojan

© 2018-2024

Terms | Privacy