quasar | 946cc4d31bbc501fa25c2b22efc8e07cd0ea326b276333600f98c33689d407df | Triage

Sharing

General

Target

WindowsDefender.exe
Size

205KB
Sample

241127-bhx7rawjar
MD5

53cb889affead37778d2ef39092d91da
SHA1

91820167c3b4065d07916adb0b56a867da1a68e9
SHA256

946cc4d31bbc501fa25c2b22efc8e07cd0ea326b276333600f98c33689d407df
SHA512

4cc5cbedf7a36a271e405bed1fb4beedde2c9e12e79e3100acd61b0160a9ad5f57c363457601104956f79327d7562944db8c4ae17e416fd27b0b6a39dd77d5c6
SSDEEP

768:BLzayT8ljccym5fCja4sYxE7FWPA9pHOMhna4OE3QjFMtUiLi8PqXhP5++:BLzgAcJ5fzFJ9pHOM1ZOE3cMt/P85U+

Score

10^/10

quasar xworm office04 discovery evasion persistence ransomware rat spyware trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

anything-talked.gl.at.ply.gg:7897

Mutex

eSQIhPW4koQzrFdT

Attributes

Install_directory
%AppData%
install_file
Regedit.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

almost-visitor.gl.at.ply.gg:7995

Mutex

e8e985a7-62a2-410d-91ea-7249972738eb

Attributes

encryption_key
578EFB451288E8CFFF8CB67C63A1530F061DDBCD
install_name
WindowsDefender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows.Defender.exe
subdirectory
SubDir

Targets

- Target
  
  WindowsDefender.exe
- Size
  
  205KB
- MD5
  
  53cb889affead37778d2ef39092d91da
- SHA1
  
  91820167c3b4065d07916adb0b56a867da1a68e9
- SHA256
  
  946cc4d31bbc501fa25c2b22efc8e07cd0ea326b276333600f98c33689d407df
- SHA512
  
  4cc5cbedf7a36a271e405bed1fb4beedde2c9e12e79e3100acd61b0160a9ad5f57c363457601104956f79327d7562944db8c4ae17e416fd27b0b6a39dd77d5c6
- SSDEEP
  
  768:BLzayT8ljccym5fCja4sYxE7FWPA9pHOMhna4OE3QjFMtUiLi8PqXhP5++:BLzgAcJ5fzFJ9pHOM1ZOE3cMt/P85U+
Score

10^/10

quasar xworm office04 discovery evasion persistence ransomware rat spyware trojan
- Detect Xworm Payload
- Modifies WinLogon for persistence
  persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

quasarxwormoffice04discoveryevasionpersistenceransomwareratspywaretrojan