quasar | 8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f

Sharing

Copy URL

Twitter E-mail

General

Target

autodist_proproctor_M2 (2).zip
Size

34.9MB
Sample

241112-2p6etasgrk
MD5

38cbe4bfde65070ccbd42fd6d4fd7517
SHA1

a6c8e7cea56ffe8eae93db6128f440cfdf7078e7
SHA256

8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f
SHA512

251405e6b4885f2e72be95494609899c7fbd51371e5389c9d3bfdbca7201af24a4ba3724ba409c9837960277194115575c3538c921afde456b96cd763b8d0c15
SSDEEP

786432:qK3WRVP/LiO0hSfYxv73lwlOxWyr4Rp73lwlOxWyr4RMst9:qK67iOwSf+73lxxWyrCp73lxxWyrCMc

Score

10^/10

Malware Config

Targets

- Target
  
  autodist_proproctor_M2 (2).zip
- Size
  
  34.9MB
- MD5
  
  38cbe4bfde65070ccbd42fd6d4fd7517
- SHA1
  
  a6c8e7cea56ffe8eae93db6128f440cfdf7078e7
- SHA256
  
  8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f
- SHA512
  
  251405e6b4885f2e72be95494609899c7fbd51371e5389c9d3bfdbca7201af24a4ba3724ba409c9837960277194115575c3538c921afde456b96cd763b8d0c15
- SSDEEP
  
  786432:qK3WRVP/LiO0hSfYxv73lwlOxWyr4Rp73lwlOxWyr4RMst9:qK67iOwSf+73lxxWyrCp73lxxWyrCMc
Score

10^/10

quasar discovery evasion persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  autodist_proproctor_M2/Client-built.exe
- Size
  
  12.4MB
- MD5
  
  f7813477edabc442160c2b4bd5a28efb
- SHA1
  
  b544c8c8ad68d5ae8c339a304adff69e4001f617
- SHA256
  
  628bd830648e0e4e85fba4aac5b89540a2af7a69933a020aa17b42af2a0cc665
- SHA512
  
  6e234439915709786536424e6a0c807c64ae2326188e78eb4b081f48a6471b86683fa125423654fc95e441b1236cbde537ecc2a243131f92ac82000f68190a23
- SSDEEP
  
  393216:nTHuJuMZfRcpDfuSkqJc5YYR4FjlHN4Ol:THJY5c1uSkqJc5l6ZtP
Score

10^/10

quasar discovery evasion persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  autodist_proproctor_M2/Client.exe
- Size
  
  12.3MB
- MD5
  
  49fee9e45690cb2d12f32923ff5c7060
- SHA1
  
  eaa52d56f0998b81bd54397d0d0d0c68d47e4838
- SHA256
  
  4bcc56b8279bc707e0f6a21a9fddc8c67903383f84ba1bc0477b8327ab370719
- SHA512
  
  e08c1fb1b1fb76dd6b6d768b397ca7b20bba1aa54affee551e248830ccf8bbf8957e888eb88be4725c047b52c592d13ebae1218771699739c31bcfb43f9d9390
- SSDEEP
  
  393216:oTHuJuMZfRcpDfuSkqJc5YYR4FjlHN4Ol:KHJY5c1uSkqJc5l6ZtP
Score

10^/10

quasar discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral3
- Target
  
  autodist_proproctor_M2/Client.exe.config
- Size
  
  161B
- MD5
  
  c16b0746faa39818049fe38709a82c62
- SHA1
  
  3fa322fe6ed724b1bc4fd52795428a36b7b8c131
- SHA256
  
  d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
- SHA512
  
  cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c
Score

3^/10

discovery
behavioral4
- Target
  
  autodist_proproctor_M2/Clients/yamun@YAMUNA_A813E46/onlinetestwks (1).exe
- Size
  
  178KB
- MD5
  
  0646998ef06d1e8d3471824151d23dfe
- SHA1
  
  ff3d549f20df9740847a36b218f3565f8613e0ab
- SHA256
  
  6e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
- SHA512
  
  f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
- SSDEEP
  
  3072:xqnayTh0g24PvrURqgkdEIBewDbMTEksaSnurra:was0g2mrUUgkdrewDbq
Score

3^/10

discovery
behavioral5
- Target
  
  autodist_proproctor_M2/Clients/yamun@YAMUNA_A813E46/onlinetestwks (2).exe
- Size
  
  178KB
- MD5
  
  0646998ef06d1e8d3471824151d23dfe
- SHA1
  
  ff3d549f20df9740847a36b218f3565f8613e0ab
- SHA256
  
  6e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
- SHA512
  
  f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
- SSDEEP
  
  3072:xqnayTh0g24PvrURqgkdEIBewDbMTEksaSnurra:was0g2mrUUgkdrewDbq
Score

3^/10

discovery
behavioral6
- Target
  
  autodist_proproctor_M2/Clients/yamun@YAMUNA_A813E46/onlinetestwks.exe
- Size
  
  178KB
- MD5
  
  0646998ef06d1e8d3471824151d23dfe
- SHA1
  
  ff3d549f20df9740847a36b218f3565f8613e0ab
- SHA256
  
  6e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
- SHA512
  
  f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
- SSDEEP
  
  3072:xqnayTh0g24PvrURqgkdEIBewDbMTEksaSnurra:was0g2mrUUgkdrewDbq
Score

3^/10

discovery
behavioral7
- Target
  
  autodist_proproctor_M2/Mono.Cecil.dll
- Size
  
  277KB
- MD5
  
  8df4d6b5dc1629fcefcdc20210a88eac
- SHA1
  
  16c661757ad90eb84228aa3487db11a2eac6fe64
- SHA256
  
  3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
- SHA512
  
  874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
- SSDEEP
  
  6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA
Score

1^/10
behavioral8
- Target
  
  autodist_proproctor_M2/Mono.Nat.dll
- Size
  
  45KB
- MD5
  
  e3986207ac534dcc31265bbfbd2ccc79
- SHA1
  
  3f1139ed1a4e2332507765a60ed2bf4dc0d6c29e
- SHA256
  
  89bf6331396dcf10a4d779059105f61a50b4d2fbbe7bf89cdd5dc3102296415f
- SHA512
  
  ede1e4bd5763cbeee3b20b53c8678c2a73cd50ca6963235cfab5a7795fc8cc47b42a4e9e0b16b4b68d0b39590bd61fc0e63a9667ead2414e7d1bb2c5e7d95cbb
- SSDEEP
  
  768:YxXMxm4zlPzz8uZR/QZEIllyJRLoO5Clgu:YuBPz9PQVzyJhtkN
Score

1^/10
behavioral9
- Target
  
  autodist_proproctor_M2/Profiles/Default.xml
- Size
  
  1014B
- MD5
  
  7a93a183ecd0710fb4cd1413dab7527e
- SHA1
  
  9291b9ad8eeb03ac54e096534b11ea9c860ef9ff
- SHA256
  
  280bd4dc49b7b780aa9fa3e625ff3fde09cf4b2bd9438a4637837c06dbf7c2dd
- SHA512
  
  39dd600908fe9bcda6bd89e4695f3b4cac1be6362603ed36b2fad0f13bbc474fdca20bf6f90262e081282e635ed771ee18dda7035af2cc5e9b92e5a6dc1caf40
Score

3^/10

discovery
behavioral10
- Target
  
  autodist_proproctor_M2/Quasar.exe.config
- Size
  
  161B
- MD5
  
  c16b0746faa39818049fe38709a82c62
- SHA1
  
  3fa322fe6ed724b1bc4fd52795428a36b7b8c131
- SHA256
  
  d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
- SHA512
  
  cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c
Score

3^/10

discovery
behavioral11
- Target
  
  autodist_proproctor_M2/Quasar.vmp.exe
- Size
  
  2.1MB
- MD5
  
  a0dace1b704c623aba724810af79fb01
- SHA1
  
  39ccaaa4ed9840a2f8492f0bda615ae9f8e8b8dd
- SHA256
  
  ef857f86022cd05c7916f9422ea9f731277b33a4c21efd2e2a475d95d6739f6d
- SHA512
  
  b6ccc516c7b506d4ad8094474c9b558f79a189e0790344aac54f240a9124f13dff7d485fdbcc05d83ea7330ce673f88bd4a51c7c09668cf5a006ca09304054dc
- SSDEEP
  
  49152:2pz4hkuxPKIviLopYiKfrjhkQSe+Lt6GDA6:EEhkuxCIvikp/KfJkQQlDA6
Score

10^/10

evasion trojan
- UAC bypass
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral12
- Target
  
  autodist_proproctor_M2/Vestris.ResourceLib.dll
- Size
  
  76KB
- MD5
  
  64e9cb25aeefeeba3bb579fb1a5559bc
- SHA1
  
  e719f80fcbd952609475f3d4a42aa578b2034624
- SHA256
  
  34cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
- SHA512
  
  b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
- SSDEEP
  
  1536:5Z0R489PUoltCY19T7Uf5DYoRvtkA2MNmjYgGKeK9jXGYWs:L0R489PUeCy7Uf5pVCMwjVG/K9jp
Score

1^/10
behavioral13
- Target
  
  autodist_proproctor_M2/client.bin
- Size
  
  12.3MB
- MD5
  
  49fee9e45690cb2d12f32923ff5c7060
- SHA1
  
  eaa52d56f0998b81bd54397d0d0d0c68d47e4838
- SHA256
  
  4bcc56b8279bc707e0f6a21a9fddc8c67903383f84ba1bc0477b8327ab370719
- SHA512
  
  e08c1fb1b1fb76dd6b6d768b397ca7b20bba1aa54affee551e248830ccf8bbf8957e888eb88be4725c047b52c592d13ebae1218771699739c31bcfb43f9d9390
- SSDEEP
  
  393216:oTHuJuMZfRcpDfuSkqJc5YYR4FjlHN4Ol:KHJY5c1uSkqJc5l6ZtP
Score

10^/10

quasar discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral14
- Target
  
  autodist_proproctor_M2/settings.xml
- Size
  
  410B
- MD5
  
  12251926fa9dcba8e4804f6a4b916738
- SHA1
  
  e05acba7468274ad42d42f3074e26e46e2ae5474
- SHA256
  
  4146117a7634ca0298529582217756dd06d19370d6806325ce0ab07878bb0c57
- SHA512
  
  d9bb8b63ae15195e652412a5cfa81b863675a5405e8945dee8679b96ed65eac58ffe2af411981058ddc51640d7316a6535ccbaa9591d763df7f43380bc8ad104
Score

3^/10

discovery
behavioral15

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Quasar RAT

Quasar family

Quasar payload

UAC bypass

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Quasar RAT

Quasar family

Quasar payload

UAC bypass

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Quasar RAT

Quasar family

Quasar payload

UAC bypass

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Quasar RAT

Quasar family

Quasar payload

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15