quasar | a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a | Triage

Submit
Reports

Overview

overview

Static

static

3

a8f8595e1b...7a.exe

windows7-x64

a8f8595e1b...7a.exe

windows10-2004-x64

Sharing

General

Target

a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a
Size

5.8MB
Sample

241128-clsl4szrhv
MD5

7f4092487f658020d13296690668d937
SHA1

4c2e7041e90f7f651c3f514f092260fdf38d23e4
SHA256

a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a
SHA512

bf24517138ae37ad6dbb5aec2272b0db9a7aa9c38e8b1928a4e6223c624592bf2fff2ce27e3971329bd829667cfd5722ce1906b55ebb779b421bd8ec3aae749b
SSDEEP

98304:VdAle+Q5MpCOKdEJFZPG+chrvWREYJSqKpwR5agwxo7CH+TY9PcFO3y9jmKn+HBT:bkgMpCOL++KYMqDbSVdRf3y9jKH+U

Score

10^/10

quasar xxxnewsgroupdirect discovery evasion spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe

Resource

win7-20240903-en

quasar xxxnewsgroupdirect discovery evasion spyware trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe

Resource

win10v2004-20241007-en

quasar xxxnewsgroupdirect discovery evasion spyware trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

XXXNewsgroupdirect

C2

jwy1nw4mcx2svbmvgo76.ru:4782

o6tqyui3rxxk2sfghduiypzz7pxlym.ru:4782

RHjqJCxmCalXXEe.ru:4782

xMfLSMPKBWsgmUC.ru:4782

FHXvaxLSFIDvieO.ru:4782

QfFaRBPqOoJQqEF.ru:4782

moNxVtjgeWpPVUz.ru:4782

JDIsOivQCBlbzlN.ru:4782

DGnZQjkVDhsxgVV.ru:4782

ByZBzewBiKXuqUR.ru:4782

ytXDZUKKgHETqys.ru:4782

yPZmTJDDnmJhkwf.ru:4782

QVggEpcffTSfXLG.ru:4782

DqUTFasmBwlEIBT.ru:4782

VYJjpyHabYhrJDd.ru:4782

RgNSTMHSnjafPEX.ru:4782

Mutex

HoQcpHAOBoMWu5FCve

Attributes

encryption_key
VJrLu7UGImn19bb9qL6Z
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a
- Size
  
  5.8MB
- MD5
  
  7f4092487f658020d13296690668d937
- SHA1
  
  4c2e7041e90f7f651c3f514f092260fdf38d23e4
- SHA256
  
  a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a
- SHA512
  
  bf24517138ae37ad6dbb5aec2272b0db9a7aa9c38e8b1928a4e6223c624592bf2fff2ce27e3971329bd829667cfd5722ce1906b55ebb779b421bd8ec3aae749b
- SSDEEP
  
  98304:VdAle+Q5MpCOKdEJFZPG+chrvWREYJSqKpwR5agwxo7CH+TY9PcFO3y9jmKn+HBT:bkgMpCOL++KYMqDbSVdRf3y9jKH+U
Score

10^/10

quasar xxxnewsgroupdirect discovery evasion spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarxxxnewsgroupdirectdiscoveryevasionspywaretrojan

behavioral2

quasarxxxnewsgroupdirectdiscoveryevasionspywaretrojan

© 2018-2024

Terms | Privacy