quasar | 598e9e785106149f7c6b15754cfff25dc9e63c9a4f31dd2adfae9f89ee7114c6 | Triage

Sharing

General

Target

598e9e785106149f7c6b15754cfff25dc9e63c9a4f31dd2adfae9f89ee7114c6
Size

2.9MB
Sample

241127-rb5agswnbw
MD5

35ebffea09e4aaa9d51739350ed89cf3
SHA1

79497ec75bfa2908a7309dd32950706c1dff55f3
SHA256

598e9e785106149f7c6b15754cfff25dc9e63c9a4f31dd2adfae9f89ee7114c6
SHA512

333f8321a560a82dc63b25354174e9757ff9e9c4b531bd5a28a667da791e5c41902597f1ae22eee6631e8bd82aab4ea8ba06ef8193c435ca63d7cf5c35952b18
SSDEEP

49152:5XEhhcszRwpZBYWmvU0CDNB7gQ18drEXl7SY:5XEhHMBLbDNB7gQiWXl7b

Score

10^/10

quasar cloud discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CLOUD

C2

clouddns.ydns.eu:4782

Mutex

Y0L5BBr3LYevMGkjTR

Attributes

encryption_key
NQFoBAkHvOScg2EgzstO
install_name
CasPol.exe
log_directory
Logs
reconnect_delay
3000
startup_key
AppLaunch
subdirectory
ResourceWindows

Targets

- Target
  
  598e9e785106149f7c6b15754cfff25dc9e63c9a4f31dd2adfae9f89ee7114c6
- Size
  
  2.9MB
- MD5
  
  35ebffea09e4aaa9d51739350ed89cf3
- SHA1
  
  79497ec75bfa2908a7309dd32950706c1dff55f3
- SHA256
  
  598e9e785106149f7c6b15754cfff25dc9e63c9a4f31dd2adfae9f89ee7114c6
- SHA512
  
  333f8321a560a82dc63b25354174e9757ff9e9c4b531bd5a28a667da791e5c41902597f1ae22eee6631e8bd82aab4ea8ba06ef8193c435ca63d7cf5c35952b18
- SSDEEP
  
  49152:5XEhhcszRwpZBYWmvU0CDNB7gQ18drEXl7SY:5XEhHMBLbDNB7gQiWXl7b
Score

10^/10

quasar cloud discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarclouddiscoverypersistencespywaretrojan

behavioral2

quasarclouddiscoverypersistencespywaretrojan