quasar | 86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6 | Triage

Sharing

General

Target

86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6.exe
Size

34KB
Sample

241120-fy2bkawphr
MD5

9de372f748c4a9dd77ddbfb325c1a31d
SHA1

bef15c9f755dd25031424a63a07ec5ec8199c92e
SHA256

86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6
SHA512

2b7f936be2afd76990a65c5f32bba350ce2b96b9a9c14b14190bf2fa3bced04953787eb12b7f17e600e3a9000328fdfeea851373a21e16919c874964039a83d7
SSDEEP

768:ZCB/mZMXnTgjjSxKSbG6d30tjRi2T5EXbOfq1lk7kbzP:ZIxTgh29d3KRXT5cbOt7knP

Score

10^/10

quasar fontdrvhost defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fontdrvhost

C2

archerleet.duckdns.org:1862

Mutex

92d56566-deb6-4133-9031-d3e24abe97f9

Attributes

encryption_key
0971EF27DF92928DE49B97AC507E38E80FF68C6E
install_name
fontdrvhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fontdrvhost
subdirectory
Driver

Targets

- Target
  
  86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6.exe
- Size
  
  34KB
- MD5
  
  9de372f748c4a9dd77ddbfb325c1a31d
- SHA1
  
  bef15c9f755dd25031424a63a07ec5ec8199c92e
- SHA256
  
  86e6a56d03817c4369a67631d7eeca99a0a9b6b7635a1d159c9bc2263d7abad6
- SHA512
  
  2b7f936be2afd76990a65c5f32bba350ce2b96b9a9c14b14190bf2fa3bced04953787eb12b7f17e600e3a9000328fdfeea851373a21e16919c874964039a83d7
- SSDEEP
  
  768:ZCB/mZMXnTgjjSxKSbG6d30tjRi2T5EXbOfq1lk7kbzP:ZIxTgh29d3KRXT5cbOt7knP
Score

10^/10

quasar fontdrvhost defense_evasion execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

File Deletion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarfontdrvhostdefense_evasionexecutionspywaretrojan