quasar | a1d508edff87a505a4349f82aa50ab3fe657a44e4a4613b0eb63d5e8d01b8723 | Triage

Sharing

General

Target

a1d508edff87a505a4349f82aa50ab3fe657a44e4a4613b0eb63d5e8d01b8723N.exe
Size

876KB
Sample

241124-x4rsravncz
MD5

81cb7328f6e4c75fbbfbc328fdb21df0
SHA1

c086e182fb08a835e51125f0d997af0155d1d0a2
SHA256

a1d508edff87a505a4349f82aa50ab3fe657a44e4a4613b0eb63d5e8d01b8723
SHA512

7ea8623c8e17eac7b5451b69ffa5eb98888e7ffac6e1b00e1681881812bb9de308086ce01e2f65a32ba3f16bf20f2826fc55b5e159fc18a32a52191e82970a27
SSDEEP

12288:6COzWsvIDqNc4Gqu7x5BRd6CMWMpFY0wjTyE9OXcg6VpUoME4KN6eclg5QU:BOzxiqgjx5TddMWM0/83UDMTKgw

Score

10^/10

quasar aoy discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

AOY

C2

87.120.120.27:61540

127.0.0.1:61540

87.121.86.205:61541

Mutex

QSR_MUTEX_NOCv4TURf46HbVbxyc

Attributes

encryption_key
fVsndNhImy9VosyZSQbQ
install_name
updates.exe
log_directory
Logs
reconnect_delay
4000
startup_key
Windows Update
subdirectory
Windows

Targets

- Target
  
  a1d508edff87a505a4349f82aa50ab3fe657a44e4a4613b0eb63d5e8d01b8723N.exe
- Size
  
  876KB
- MD5
  
  81cb7328f6e4c75fbbfbc328fdb21df0
- SHA1
  
  c086e182fb08a835e51125f0d997af0155d1d0a2
- SHA256
  
  a1d508edff87a505a4349f82aa50ab3fe657a44e4a4613b0eb63d5e8d01b8723
- SHA512
  
  7ea8623c8e17eac7b5451b69ffa5eb98888e7ffac6e1b00e1681881812bb9de308086ce01e2f65a32ba3f16bf20f2826fc55b5e159fc18a32a52191e82970a27
- SSDEEP
  
  12288:6COzWsvIDqNc4Gqu7x5BRd6CMWMpFY0wjTyE9OXcg6VpUoME4KN6eclg5QU:BOzxiqgjx5TddMWM0/83UDMTKgw
Score

10^/10

quasar aoy discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaraoydiscoveryspywaretrojan

behavioral2

quasaraoydiscoveryspywaretrojan