quasar | eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f | Triage

Sharing

General

Target

SMTPChecker.exe
Size

23.1MB
Sample

241123-t7wz4atrfq
MD5

b2d4138a7cbb8b3e02d9f61c76f31f18
SHA1

629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c
SHA256

eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f
SHA512

f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988
SSDEEP

393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6

Score

10^/10

quasar office defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

45.200.149.95:6669

Mutex

6HcAGCOypVIi6hl6rR

Attributes

encryption_key
3Fmq36RtzQkpmjAWxAFM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DISC
subdirectory
SubDir

Targets

- Target
  
  SMTPChecker.exe
- Size
  
  23.1MB
- MD5
  
  b2d4138a7cbb8b3e02d9f61c76f31f18
- SHA1
  
  629dfd6d138fe6a9ff0492a63ef1ce0bd5356c6c
- SHA256
  
  eabb7c5d04a447b6af835c375f9e5535fa1250f5ae976686048bf4bc9766612f
- SHA512
  
  f9cc089193c91f603f0ed6f47f84fa7483344268a88b2bfdaa8914e5e9f07af84ab206bd621272718eaca8a3babdceeaf58cd25197b24adfc0cede6f3933c988
- SSDEEP
  
  393216:ZSzcigXdH1z88oOJOVyRzVOrRS1/Q1NeJ42Mjck4GREfMfoPwY74HpC1P5aw:mVgc8hJO4wK/EdcsEfQobeM6
Score

10^/10

quasar office defense_evasion discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarofficedefense_evasiondiscoveryexecutionspywaretrojan