quasar | a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d | Triage

Sharing

General

Target

noloud.bat
Size

12KB
Sample

241124-w8yw7ayqhl
MD5

e435591eabd5596e754a7acaede7dca7
SHA1

2b1b728aae5d3e72fe4bc864559d0347489f995a
SHA256

a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d
SHA512

3248a7cf8542068c126906b9db5e3fb0dde7ca123b7cf3f5375aad6b5c65bb909db5e3b5e127104e664b57eea4774d5283228533f01beb45b50ccdd3545e8f69
SSDEEP

384:gTYcpQyuPmhDGEhtKCR2XYmE2JdAp6EbW263JM3jXMIccK:gTYcpQyuPmhDGEhtKCReU2JdjES3JQj4

Score

10^/10

quasar undercontrol discovery evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

UnderControl

C2

google-15-node.giize.com:9876

192.168.0.192:9876

127.0.0.1:9876

SeraiBawang-61025.portmap.io::61025

Mutex

BlackMaster: UnderControl

Attributes

encryption_key
070CDBCBB8132B62B93E1CB06630D9221F0FFA4A
install_name
MicrosoftAI.exe
log_directory
USSR
reconnect_delay
2000
startup_key
Microsoft Private Ai
subdirectory
Microsoft

Targets

- Target
  
  noloud.bat
- Size
  
  12KB
- MD5
  
  e435591eabd5596e754a7acaede7dca7
- SHA1
  
  2b1b728aae5d3e72fe4bc864559d0347489f995a
- SHA256
  
  a599fcae8f2c31fb4bf0fe02b30e4ee4bd23d599c6c3d9a571df508a470d690d
- SHA512
  
  3248a7cf8542068c126906b9db5e3fb0dde7ca123b7cf3f5375aad6b5c65bb909db5e3b5e127104e664b57eea4774d5283228533f01beb45b50ccdd3545e8f69
- SSDEEP
  
  384:gTYcpQyuPmhDGEhtKCR2XYmE2JdAp6EbW263JM3jXMIccK:gTYcpQyuPmhDGEhtKCReU2JdjES3JQj4
Score

10^/10

evasion execution persistence trojan quasar undercontrol discovery spyware
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionexecutionpersistencetrojan

behavioral2

quasarundercontroldiscoveryevasionexecutionpersistencespywaretrojan