quasar | c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadc | Triage

Sharing

General

Target

c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN
Size

1.0MB
Sample

241102-wwlq4a1gpd
MD5

7ccf1fdf90d92e8a7ebca6f935207440
SHA1

301ed5b0bd32f06a32855f659c9a44f0d1766d0a
SHA256

c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadc
SHA512

a7957cb6fb3e418f0eda322433dcc8518fde5a66a4da2fe7cf53d96f710169bf1e55ad698f1ccf0124b39c4d3107d3e52672e6eeb279c03e4d613fe0557cb5a1
SSDEEP

24576:7P3JAsyS48MGN075+RFfdX0SOvYZKjVNhFpV1SLzknZ7cPR:7P3CFS4w075+DdVezFpVcon1cP

Score

10^/10

quasar htroy discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HTROY

C2

87.120.116.115:61510

onadeatcamsides.sytes.net:61511

Mutex

QSR_MUTEX_ZAU4jFZ758CCGtDmef

Attributes

encryption_key
rK1SiSuzs11zCQEpJeMg
install_name
Updates.exe
log_directory
Logs
reconnect_delay
30000
startup_key
NewUpdates
subdirectory
Mindow

Targets

- Target
  
  c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadcN
- Size
  
  1.0MB
- MD5
  
  7ccf1fdf90d92e8a7ebca6f935207440
- SHA1
  
  301ed5b0bd32f06a32855f659c9a44f0d1766d0a
- SHA256
  
  c64b2003bf92e9f6fe2100877beb9cf30e1a5a3f1289e4f44a601e01e95afadc
- SHA512
  
  a7957cb6fb3e418f0eda322433dcc8518fde5a66a4da2fe7cf53d96f710169bf1e55ad698f1ccf0124b39c4d3107d3e52672e6eeb279c03e4d613fe0557cb5a1
- SSDEEP
  
  24576:7P3JAsyS48MGN075+RFfdX0SOvYZKjVNhFpV1SLzknZ7cPR:7P3CFS4w075+DdVezFpVcon1cP
Score

10^/10

quasar htroy discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarhtroydiscoveryspywaretrojan

behavioral2

quasarhtroydiscoveryspywaretrojan