quasar | 99df601daf636cfc09df2eeceb7a9bcbb98c0798eac147f379cfcb2c2853d69c | Triage

Sharing

General

Target

burpsuite2.2.EXE
Size

208.5MB
Sample

241126-h3b9cazrb1
MD5

e65eadc039a63720027b5806936bb1f6
SHA1

608d8d9ef45b0bf71257078ca8a68bcd5fe1ec49
SHA256

99df601daf636cfc09df2eeceb7a9bcbb98c0798eac147f379cfcb2c2853d69c
SHA512

d113f24f4be83c71142df7a19c0c67da89a7e79286692621c8da03f30c0ec18ff2e4dd6957d5a8c7b3e05354cb26428a873fc04909ceb5800e5ef9021126bcd1
SSDEEP

6291456:ZY6l+mOWCkh3PjGl8bJcA8HKWEuxp5HT:m6l+mO6tPKMJUqWEuxv

Score

10^/10

quasar systemsom discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

systemsom

C2

systemsom.ddns.net:4444

Mutex

QSR_MUTEX_yUyz7QlfeoeehMJRGY

Attributes

encryption_key
mWoA6fgoQ3ThegdvvCAD
install_name
shost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
mcsftt
subdirectory
micsft

Targets

- Target
  
  burpsuite2.2.EXE
- Size
  
  208.5MB
- MD5
  
  e65eadc039a63720027b5806936bb1f6
- SHA1
  
  608d8d9ef45b0bf71257078ca8a68bcd5fe1ec49
- SHA256
  
  99df601daf636cfc09df2eeceb7a9bcbb98c0798eac147f379cfcb2c2853d69c
- SHA512
  
  d113f24f4be83c71142df7a19c0c67da89a7e79286692621c8da03f30c0ec18ff2e4dd6957d5a8c7b3e05354cb26428a873fc04909ceb5800e5ef9021126bcd1
- SSDEEP
  
  6291456:ZY6l+mOWCkh3PjGl8bJcA8HKWEuxp5HT:m6l+mO6tPKMJUqWEuxv
Score

10^/10

quasar systemsom discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarsystemsomdiscoverypersistencespywaretrojan