quasar | 0565d80022e4035fe21f5fa489a866fe24b9bbcd58e68a82f61df89aec623ee8 | Triage

Submit
Reports

Overview

overview

Static

static

1

Foto DC.png

windows10-ltsc 2021-x64

Sharing

General

Target

Foto DC.png
Size

1.4MB
Sample

241122-2w14nsxmgr
MD5

0ab308fbdda54c8fd7c04b7e0c0fffb4
SHA1

7a0bbe6f6f943e97fc47224505587549c7d6df1d
SHA256

0565d80022e4035fe21f5fa489a866fe24b9bbcd58e68a82f61df89aec623ee8
SHA512

5866b071e8838a5d4b6e31bf01d70acbefb70a2ee3d6f9ffd9b1e820f5d2e27f2c1fef33c0f517025df4b8bbad9d9928f913a4fbe0ed634a6d0f5c6d89030437
SSDEEP

24576:kvghhDIDQ57xL24Vr62E1KOvCG2USqro2F5HGa3chp0tRPb64GHwxnt:OwDI857xL24OKOv+Zqc2F5MhpQRPG4GS

Score

10^/10

quasar office04 discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Foto DC.png

Resource

win10ltsc2021-20241023-en

quasar office04 discovery spyware stealer trojan

windows10-ltsc 2021-x64

32 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

10.127.0.210:4782

Mutex

QSR_MUTEX_VxGlxWsqilIBkKwFHx

Attributes

encryption_key
9Dda4rNsdoW46bMmjQZV
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.127.0.210:4782

Mutex

6935cf5e-d059-43aa-9ca1-b346ab9507bb

Attributes

encryption_key
E9872268753A7D72DA867CBC7D6208F50BD3F8EE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  Foto DC.png
- Size
  
  1.4MB
- MD5
  
  0ab308fbdda54c8fd7c04b7e0c0fffb4
- SHA1
  
  7a0bbe6f6f943e97fc47224505587549c7d6df1d
- SHA256
  
  0565d80022e4035fe21f5fa489a866fe24b9bbcd58e68a82f61df89aec623ee8
- SHA512
  
  5866b071e8838a5d4b6e31bf01d70acbefb70a2ee3d6f9ffd9b1e820f5d2e27f2c1fef33c0f517025df4b8bbad9d9928f913a4fbe0ed634a6d0f5c6d89030437
- SSDEEP
  
  24576:kvghhDIDQ57xL24Vr62E1KOvCG2USqro2F5HGa3chp0tRPb64GHwxnt:OwDI857xL24OKOv+Zqc2F5MhpQRPG4GS
Score

10^/10

quasar office04 discovery spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Browser Information Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoveryspywarestealertrojan

© 2018-2024

Terms | Privacy