quasar | 2b29bc880c22f32fcf4da7c9240d57cce97701ef8ced8a80942be60e5a62b934

General

Target

BotOtp.zip
Size

23.1MB
Sample

241106-qgre5s1bkh
MD5

98b7ea90d83c25a0fa10d1311648f030
SHA1

a3c6104f2a2434dc16119c4f202dd6066ffd5466
SHA256

2b29bc880c22f32fcf4da7c9240d57cce97701ef8ced8a80942be60e5a62b934
SHA512

5a09369c731173dd4575e2cd2636c916356c235c815944ff3516b98bb82f1b70eaba19bbd5a87ffd24a2325cad579de47924bc9940705120c6710a82aa57f3fb
SSDEEP

393216:OupPyPL4BT5mV/RafK7VkjKMGzMEkiEHgzLSSmSt1Xth1NLRRibpK0BLyH8rM7n:VpPaL4BTORawoKkEkTgXVVXNL0U0BOHl

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

45.200.149.95:6669

Mutex

6HcAGCOypVIi6hl6rR

Attributes

encryption_key
3Fmq36RtzQkpmjAWxAFM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DISC
subdirectory
SubDir

Targets

- Target
  
  Database.py
- Size
  
  13KB
- MD5
  
  4b446b8df83e29ae3875fc6628a34d26
- SHA1
  
  124e5a5b4c743e7df8146e8de83c8854a8a91f94
- SHA256
  
  af3250b1fb3599d5f6e473b0c2a688efdf53fe075bc023ad09f92a1b9eda93cf
- SHA512
  
  cf29308e6765ee44f945c82c56d616e67d5e54eef2f6ef8d15382d47668f1a9850593dab114a1d8fba8c27ec9913fcc43356adb2fd7d7fe6a107b64b7f066137
- SSDEEP
  
  192:DtCzwhZUK1lG+t5e0o2P7oAqoRZmGssG4SscvNR4ugbOhcedhyyQ:FZR7B59LTdlRZmGssGfle8Qj
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Info.py
- Size
  
  245B
- MD5
  
  b57472e59e28a8bc6123efaecf4ea46c
- SHA1
  
  e83af35771a3f8469230c6fe9e22c7d6e605f9a8
- SHA256
  
  89df538129297f3a104168e33bea595703d6d5c64bed44642a165de6ecf2923c
- SHA512
  
  3a7bbff856c40afe53f01d03bb1fcf3f5e6230c955189c6a7d29982756197b54f4b13f298989e5e619622fafea00fba7ae221f7dc68dfebfe1fe5ff68742a0e9
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Main_botrun.exe
- Size
  
  23.8MB
- MD5
  
  e6ea60f7cba638e262aebbbbc337f364
- SHA1
  
  ddc525204f9511e3a2d322bb03445c135c92a1ca
- SHA256
  
  030a63147a608c906dabf42c00dfdfc0b245a6ecd81dcfc43d6fc0c95421f444
- SHA512
  
  bdc1a0bbba753cebabc16a1f7171ff5cd91f14e95fdfe96f9e17b0b95eb38bebbe7dd43f94465249ab52f3c1da9a918ad5585adc50db319f8bb1cceb77db4bfb
- SSDEEP
  
  393216:vKHtKeBbDybTlS/oFBjMpWRHU1xIYgLAXsLASfdWXhZaNDIlT1OLABpvE9RW6PCZ:vKHtvBbklSsJMg8xthXslRWs+9E90U
Score

10^/10

upx quasar office defense_evasion discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  Main.pyc
- Size
  
  90KB
- MD5
  
  c7efb9da956be8d2dbd5314342b1de21
- SHA1
  
  0b4fbc09fee104c3dc9574dd96fcf2823371be1c
- SHA256
  
  37a3bbf4e262fac0e51070adfcabb378ff781d2186d4cb2dafc9b0c0cf447240
- SHA512
  
  32799765f299464a90af7d6a844d8b5b411b1ab68099606334bb575d9abe60425e4da67d00bbef93191774377012d341ceaf943f06e9f75b77088f72f81e03f9
- SSDEEP
  
  1536:TtRrzJhz6InGZZjigX1LH4PEh8tWoZIGvFO8Wl:THvjzOZ9PoZIGvPWl
Score

3^/10

execution
behavioral7 behavioral8