quasar | d2d3f197a13bdd19a00bc0a2e1de1704f3103142d723b0a6a0ab522aa0bd4524 | Triage

Sharing

General

Target

a4e04fcc301833211359e575150cc7cc_JaffaCakes118
Size

656KB
Sample

241127-ahvaestlcp
MD5

a4e04fcc301833211359e575150cc7cc
SHA1

815d3f4eb2029ec80408bea43fb1e1febadadaf6
SHA256

d2d3f197a13bdd19a00bc0a2e1de1704f3103142d723b0a6a0ab522aa0bd4524
SHA512

82ec43e69b86c26aec4f2b22e25301259f9ec00fdb1e9b3c67699a71dac04d1b6148f1a01f0922832b99d631ae5e292cf020a6e0054ddaf056a25b1b49add376
SSDEEP

12288:k5bTxmvjcBEEnpMuWtlVQOGKxWd1zmFCWNshg78cBhjr2JWH3Qx02U:6bTxmvjanpRy2K8d1zmI4shgP5rxHgxQ

Score

10^/10

quasar office04w discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04w

C2

societyf500.ddns.net:5490

Mutex

f4264bdc-b486-4a30-a042-2bcfb907b3c7

Attributes

encryption_key
0204DFA093E27B72F1617CCEA6076BCCE5D0A482
install_name
dwmq.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dwmq
subdirectory
explorer

Targets

- Target
  
  a4e04fcc301833211359e575150cc7cc_JaffaCakes118
- Size
  
  656KB
- MD5
  
  a4e04fcc301833211359e575150cc7cc
- SHA1
  
  815d3f4eb2029ec80408bea43fb1e1febadadaf6
- SHA256
  
  d2d3f197a13bdd19a00bc0a2e1de1704f3103142d723b0a6a0ab522aa0bd4524
- SHA512
  
  82ec43e69b86c26aec4f2b22e25301259f9ec00fdb1e9b3c67699a71dac04d1b6148f1a01f0922832b99d631ae5e292cf020a6e0054ddaf056a25b1b49add376
- SSDEEP
  
  12288:k5bTxmvjcBEEnpMuWtlVQOGKxWd1zmFCWNshg78cBhjr2JWH3Qx02U:6bTxmvjanpRy2K8d1zmI4shgP5rxHgxQ
Score

10^/10

quasar office04w discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04wdiscoverypersistencespywaretrojan

behavioral2

quasaroffice04wdiscoverypersistencespywaretrojan