quasar | ed098d7dc50ce75bc364fe18d99df66e3761a74f234f4bcf96f2895dd0c1fbc4 | Triage

Sharing

General

Target

ed098d7dc50ce75bc364fe18d99df66e3761a74f234f4bcf96f2895dd0c1fbc4N
Size

3.6MB
Sample

241021-ed34zsyerm
MD5

eaab27b2ddf8f180a9a39cf41cc315b0
SHA1

3911cd0517ffc749813b0d37a24748e1b7f87840
SHA256

ed098d7dc50ce75bc364fe18d99df66e3761a74f234f4bcf96f2895dd0c1fbc4
SHA512

2aa9745e51b51e613b1e64e21d29beb2a324b53dfff8a3c02952b4c679e392acf43e1b8fa71d427b1105fdd7f6b9067e1c69b477507971d8e89d00b35a32d405
SSDEEP

98304:WePiQC7Nny+mfIydB6Yd0dfs+bkhDKN4MyiGny:3PiQkty/ZdB5aJkTny

Score

10^/10

quasar office04 discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

139.99.114.150:4782

Mutex

5d00609e-0fa1-420e-ae32-932ac5f0d8a0

Attributes

encryption_key
353F228C32E13DAE9184FE5306B840EBAF1CD966
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  ed098d7dc50ce75bc364fe18d99df66e3761a74f234f4bcf96f2895dd0c1fbc4N
- Size
  
  3.6MB
- MD5
  
  eaab27b2ddf8f180a9a39cf41cc315b0
- SHA1
  
  3911cd0517ffc749813b0d37a24748e1b7f87840
- SHA256
  
  ed098d7dc50ce75bc364fe18d99df66e3761a74f234f4bcf96f2895dd0c1fbc4
- SHA512
  
  2aa9745e51b51e613b1e64e21d29beb2a324b53dfff8a3c02952b4c679e392acf43e1b8fa71d427b1105fdd7f6b9067e1c69b477507971d8e89d00b35a32d405
- SSDEEP
  
  98304:WePiQC7Nny+mfIydB6Yd0dfs+bkhDKN4MyiGny:3PiQkty/ZdB5aJkTny
Score

10^/10

discovery execution persistence quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecutionpersistence

behavioral2

quasaroffice04discoveryexecutionpersistencespywaretrojan