quasar | 5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693 | Triage

Sharing

General

Target

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693
Size

359KB
Sample

241119-2kg7estra1
MD5

c820d74f7c81a37b97c9bfc22e65c568
SHA1

76bf7b427b0c1f2fc63315d1fd1645b387860659
SHA256

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693
SHA512

4b11ea4632c685159e6eed1113c2d7e4617e866f93615fa8fef1e6484f9b0fff7105422739ade962f37549b2b76ccf0a75a436dccbe7abbdd10dcf493d2ca9c3
SSDEEP

6144:b4up0yN90QEV9DKkTB1rF2yCnsYvAVQOtRsmkwzMf4u+bb9BDjvb:bky90DdKkTBJFrYvWQsR9kwpNbb9Vb

Score

10^/10

quasar office04 discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

maximazorreguieta.no-ip.info:3406

queenmaxima.zapto.org:3406

Mutex

QSR_MUTEX_FAc01gnRthaGJO3mEj

Attributes

encryption_key
6KdEgYSDGAflKInAE9Az
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693
- Size
  
  359KB
- MD5
  
  c820d74f7c81a37b97c9bfc22e65c568
- SHA1
  
  76bf7b427b0c1f2fc63315d1fd1645b387860659
- SHA256
  
  5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693
- SHA512
  
  4b11ea4632c685159e6eed1113c2d7e4617e866f93615fa8fef1e6484f9b0fff7105422739ade962f37549b2b76ccf0a75a436dccbe7abbdd10dcf493d2ca9c3
- SSDEEP
  
  6144:b4up0yN90QEV9DKkTB1rF2yCnsYvAVQOtRsmkwzMf4u+bb9BDjvb:bky90DdKkTBJFrYvWQsR9kwpNbb9Vb
Score

10^/10

quasar office04 discovery execution persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoveryexecutionpersistencespywaretrojan