quasar | 32d2658a968790aa0039cf23fd097da860b938fb07d8d0b2f6779a71f40817b1 | Triage

Sharing

General

Target

CritScriptInstaller.bat
Size

6KB
Sample

241123-v84a8svpfk
MD5

a3ea9257f9f074a20df56d8978be9e77
SHA1

68d029092c7a591aac215e25269329c3c3859436
SHA256

32d2658a968790aa0039cf23fd097da860b938fb07d8d0b2f6779a71f40817b1
SHA512

a61143e0680eb03fbf625da8a58aa338e88f0e12c65a3c07b2c10eead02e7a753d64e3d4271c34b04941ef772d3e772f28b53355b1a46ce4fc6aafff164c3b46
SSDEEP

192:k+6tCGPbseHYtPpUaYIKopCA8KyiXn2rCxHF:kviPpUaYIKor2i

Score

10^/10

quasar ddns discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

DDNS

C2

193.161.193.99:32471

Mutex

807f3187-d087-4fff-beff-e73293a32af8

Attributes

encryption_key
81A0C14D4C705B3C678E573C849DE7F6A3671A8B
install_name
jusched.exe
log_directory
CachedLogs
reconnect_delay
3000
startup_key
Java Update Scheduler
subdirectory
Java

Targets

- Target
  
  CritScriptInstaller.bat
- Size
  
  6KB
- MD5
  
  a3ea9257f9f074a20df56d8978be9e77
- SHA1
  
  68d029092c7a591aac215e25269329c3c3859436
- SHA256
  
  32d2658a968790aa0039cf23fd097da860b938fb07d8d0b2f6779a71f40817b1
- SHA512
  
  a61143e0680eb03fbf625da8a58aa338e88f0e12c65a3c07b2c10eead02e7a753d64e3d4271c34b04941ef772d3e772f28b53355b1a46ce4fc6aafff164c3b46
- SSDEEP
  
  192:k+6tCGPbseHYtPpUaYIKopCA8KyiXn2rCxHF:kviPpUaYIKor2i
Score

10^/10

execution quasar ddns discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarddnsdiscoveryexecutionspywaretrojan