quasar | f575fa2dd2b1745a20c2ad55dcdc08ad8423f7c6c224a5f241e7d144e18f31b0 | Triage

Sharing

General

Target

f575fa2dd2b1745a20c2ad55dcdc08ad8423f7c6c224a5f241e7d144e18f31b0N.exe
Size

3.1MB
Sample

241119-tsm4msxqgt
MD5

15ac9a2e7aa9fba93576ca6efe92f960
SHA1

38cea1bad1bcc254ffaec2ec38afaf6e43c7a9eb
SHA256

f575fa2dd2b1745a20c2ad55dcdc08ad8423f7c6c224a5f241e7d144e18f31b0
SHA512

b195a2ed477b2b0f20543982a27426ac04097e3a7134fe12b273cabd2da52002ff933155f7c8aa511dabc29c4173fb7a1a2aa997f626725250acd6427af2109a
SSDEEP

49152:7v/lL26AaNeWgPhlmVqvMQ7XSKd74wvMfY8oGdahZTHHB72eh2NT:7vNL26AaNeWgPhlmVqkQ7XSKd74wI

Score

10^/10

quasar runtimebroker spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

C2

anonam39-41248.portmap.io:41248

Mutex

bcabad1b-b1a9-478b-a187-3607b6476fd1

Attributes

encryption_key
479AF86B7B3A0AC9CE19AAE974A681BB6EE1949C
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
a7

Targets

- Target
  
  f575fa2dd2b1745a20c2ad55dcdc08ad8423f7c6c224a5f241e7d144e18f31b0N.exe
- Size
  
  3.1MB
- MD5
  
  15ac9a2e7aa9fba93576ca6efe92f960
- SHA1
  
  38cea1bad1bcc254ffaec2ec38afaf6e43c7a9eb
- SHA256
  
  f575fa2dd2b1745a20c2ad55dcdc08ad8423f7c6c224a5f241e7d144e18f31b0
- SHA512
  
  b195a2ed477b2b0f20543982a27426ac04097e3a7134fe12b273cabd2da52002ff933155f7c8aa511dabc29c4173fb7a1a2aa997f626725250acd6427af2109a
- SSDEEP
  
  49152:7v/lL26AaNeWgPhlmVqvMQ7XSKd74wvMfY8oGdahZTHHB72eh2NT:7vNL26AaNeWgPhlmVqkQ7XSKd74wI
Score

10^/10

quasar runtimebroker spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

runtimebrokerquasar

behavioral1

quasarruntimebrokerspywaretrojan

behavioral2

quasarruntimebrokerspywaretrojan