quasar | ec2f7e6633f2eb4214371bc3701342599d6cfa0d6d94cd0b0f0c77e78d2bcd6c | Triage

Sharing

General

Target

main.bat
Size

5KB
Sample

241122-dfw8sayqel
MD5

9079b22a006d46af116cd7f27534f131
SHA1

9f9fd7a2234cad3de7ea9acf55c05034d124c6e2
SHA256

ec2f7e6633f2eb4214371bc3701342599d6cfa0d6d94cd0b0f0c77e78d2bcd6c
SHA512

cd36c23a25031056c74c38212f859b0ce78556347c60ab2b797743fc821676a0df633b66acbbc6812e2b696560df941af1208f284d5176d4ac083ecdd88375c8
SSDEEP

24:6I5MGfsNZSp805N0DW0i0+0eW000vZ0/W0w0bw0noW0KUQ0q+w0wW0z0a0lW0ujs:6R8sNZSptWM5m1otCigAq0

Score

10^/10

quasar bot defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

C2

wooting2000-47095.portmap.host:47095

Mutex

2e05f1ef-743b-4020-b18a-7f4276517e8b

Attributes

encryption_key
E83D6FC31962786DAEA703F111D2381786DF06CA
install_name
Modification1.5.14.12.exe
log_directory
Logs
reconnect_delay
3126
startup_key
explorer.dll
subdirectory
SubDir

Targets

- Target
  
  main.bat
- Size
  
  5KB
- MD5
  
  9079b22a006d46af116cd7f27534f131
- SHA1
  
  9f9fd7a2234cad3de7ea9acf55c05034d124c6e2
- SHA256
  
  ec2f7e6633f2eb4214371bc3701342599d6cfa0d6d94cd0b0f0c77e78d2bcd6c
- SHA512
  
  cd36c23a25031056c74c38212f859b0ce78556347c60ab2b797743fc821676a0df633b66acbbc6812e2b696560df941af1208f284d5176d4ac083ecdd88375c8
- SSDEEP
  
  24:6I5MGfsNZSp805N0DW0i0+0eW000vZ0/W0w0bw0noW0KUQ0q+w0wW0z0a0lW0ujs:6R8sNZSptWM5m1otCigAq0
Score

10^/10

quasar bot defense_evasion discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Ignore Process Interrupts

Credential Access

Discovery

Query Registry

Remote System Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarbotdefense_evasiondiscoveryexecutionspywaretrojan