quasar | 8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f

Sharing

Copy URL

Twitter E-mail

General

Target

autodist_proproctor_M22.zip
Size

34.9MB
Sample

241112-2xwwcashmq
MD5

38cbe4bfde65070ccbd42fd6d4fd7517
SHA1

a6c8e7cea56ffe8eae93db6128f440cfdf7078e7
SHA256

8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f
SHA512

251405e6b4885f2e72be95494609899c7fbd51371e5389c9d3bfdbca7201af24a4ba3724ba409c9837960277194115575c3538c921afde456b96cd763b8d0c15
SSDEEP

786432:qK3WRVP/LiO0hSfYxv73lwlOxWyr4Rp73lwlOxWyr4RMst9:qK67iOwSf+73lxxWyrCp73lxxWyrCMc

Score

10^/10

Malware Config

Targets

- Target
  
  autodist_proproctor_M2/Client-built.exe
- Size
  
  12.4MB
- MD5
  
  f7813477edabc442160c2b4bd5a28efb
- SHA1
  
  b544c8c8ad68d5ae8c339a304adff69e4001f617
- SHA256
  
  628bd830648e0e4e85fba4aac5b89540a2af7a69933a020aa17b42af2a0cc665
- SHA512
  
  6e234439915709786536424e6a0c807c64ae2326188e78eb4b081f48a6471b86683fa125423654fc95e441b1236cbde537ecc2a243131f92ac82000f68190a23
- SSDEEP
  
  393216:nTHuJuMZfRcpDfuSkqJc5YYR4FjlHN4Ol:THJY5c1uSkqJc5l6ZtP
Score

10^/10

quasar discovery evasion persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  autodist_proproctor_M2/Client.exe
- Size
  
  12.3MB
- MD5
  
  49fee9e45690cb2d12f32923ff5c7060
- SHA1
  
  eaa52d56f0998b81bd54397d0d0d0c68d47e4838
- SHA256
  
  4bcc56b8279bc707e0f6a21a9fddc8c67903383f84ba1bc0477b8327ab370719
- SHA512
  
  e08c1fb1b1fb76dd6b6d768b397ca7b20bba1aa54affee551e248830ccf8bbf8957e888eb88be4725c047b52c592d13ebae1218771699739c31bcfb43f9d9390
- SSDEEP
  
  393216:oTHuJuMZfRcpDfuSkqJc5YYR4FjlHN4Ol:KHJY5c1uSkqJc5l6ZtP
Score

10^/10

discovery quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral3 behavioral4
- Target
  
  autodist_proproctor_M2/Clients/yamun@YAMUNA_A813E46/onlinetestwks (1).exe
- Size
  
  178KB
- MD5
  
  0646998ef06d1e8d3471824151d23dfe
- SHA1
  
  ff3d549f20df9740847a36b218f3565f8613e0ab
- SHA256
  
  6e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
- SHA512
  
  f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
- SSDEEP
  
  3072:xqnayTh0g24PvrURqgkdEIBewDbMTEksaSnurra:was0g2mrUUgkdrewDbq
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  autodist_proproctor_M2/Clients/yamun@YAMUNA_A813E46/onlinetestwks (2).exe
- Size
  
  178KB
- MD5
  
  0646998ef06d1e8d3471824151d23dfe
- SHA1
  
  ff3d549f20df9740847a36b218f3565f8613e0ab
- SHA256
  
  6e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
- SHA512
  
  f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
- SSDEEP
  
  3072:xqnayTh0g24PvrURqgkdEIBewDbMTEksaSnurra:was0g2mrUUgkdrewDbq
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  autodist_proproctor_M2/Clients/yamun@YAMUNA_A813E46/onlinetestwks.exe
- Size
  
  178KB
- MD5
  
  0646998ef06d1e8d3471824151d23dfe
- SHA1
  
  ff3d549f20df9740847a36b218f3565f8613e0ab
- SHA256
  
  6e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
- SHA512
  
  f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
- SSDEEP
  
  3072:xqnayTh0g24PvrURqgkdEIBewDbMTEksaSnurra:was0g2mrUUgkdrewDbq
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  autodist_proproctor_M2/Mono.Cecil.dll
- Size
  
  277KB
- MD5
  
  8df4d6b5dc1629fcefcdc20210a88eac
- SHA1
  
  16c661757ad90eb84228aa3487db11a2eac6fe64
- SHA256
  
  3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
- SHA512
  
  874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
- SSDEEP
  
  6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA
Score

1^/10
behavioral11 behavioral12
- Target
  
  autodist_proproctor_M2/Mono.Nat.dll
- Size
  
  45KB
- MD5
  
  e3986207ac534dcc31265bbfbd2ccc79
- SHA1
  
  3f1139ed1a4e2332507765a60ed2bf4dc0d6c29e
- SHA256
  
  89bf6331396dcf10a4d779059105f61a50b4d2fbbe7bf89cdd5dc3102296415f
- SHA512
  
  ede1e4bd5763cbeee3b20b53c8678c2a73cd50ca6963235cfab5a7795fc8cc47b42a4e9e0b16b4b68d0b39590bd61fc0e63a9667ead2414e7d1bb2c5e7d95cbb
- SSDEEP
  
  768:YxXMxm4zlPzz8uZR/QZEIllyJRLoO5Clgu:YuBPz9PQVzyJhtkN
Score

1^/10
behavioral13 behavioral14
- Target
  
  autodist_proproctor_M2/Quasar.vmp.exe
- Size
  
  2.1MB
- MD5
  
  a0dace1b704c623aba724810af79fb01
- SHA1
  
  39ccaaa4ed9840a2f8492f0bda615ae9f8e8b8dd
- SHA256
  
  ef857f86022cd05c7916f9422ea9f731277b33a4c21efd2e2a475d95d6739f6d
- SHA512
  
  b6ccc516c7b506d4ad8094474c9b558f79a189e0790344aac54f240a9124f13dff7d485fdbcc05d83ea7330ce673f88bd4a51c7c09668cf5a006ca09304054dc
- SSDEEP
  
  49152:2pz4hkuxPKIviLopYiKfrjhkQSe+Lt6GDA6:EEhkuxCIvikp/KfJkQQlDA6
Score

10^/10

evasion trojan
- UAC bypass
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral15 behavioral16
- Target
  
  autodist_proproctor_M2/Vestris.ResourceLib.dll
- Size
  
  76KB
- MD5
  
  64e9cb25aeefeeba3bb579fb1a5559bc
- SHA1
  
  e719f80fcbd952609475f3d4a42aa578b2034624
- SHA256
  
  34cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
- SHA512
  
  b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
- SSDEEP
  
  1536:5Z0R489PUoltCY19T7Uf5DYoRvtkA2MNmjYgGKeK9jXGYWs:L0R489PUeCy7Uf5pVCMwjVG/K9jp
Score

1^/10
behavioral17 behavioral18
- Target
  
  autodist_proproctor_M2/client.bin
- Size
  
  12.3MB
- MD5
  
  49fee9e45690cb2d12f32923ff5c7060
- SHA1
  
  eaa52d56f0998b81bd54397d0d0d0c68d47e4838
- SHA256
  
  4bcc56b8279bc707e0f6a21a9fddc8c67903383f84ba1bc0477b8327ab370719
- SHA512
  
  e08c1fb1b1fb76dd6b6d768b397ca7b20bba1aa54affee551e248830ccf8bbf8957e888eb88be4725c047b52c592d13ebae1218771699739c31bcfb43f9d9390
- SSDEEP
  
  393216:oTHuJuMZfRcpDfuSkqJc5YYR4FjlHN4Ol:KHJY5c1uSkqJc5l6ZtP
Score

10^/10

discovery quasar spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Quasar RAT

Quasar family

Quasar payload

UAC bypass

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Quasar RAT

Quasar family

Quasar payload

UAC bypass

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Quasar RAT

Quasar family

Quasar payload

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20