quasar | d05dd87b7ce909f8f3f85607f9546bcbe1168a507955c4d504d8c83f02d9a909 | Triage

Submit
Reports

Overview

overview

Static

static

1

Uni.bat

windows7-x64

7

Uni.bat

windows10-2004-x64

Sharing

General

Target

Uni.bat
Size

10.4MB
Sample

241128-vy695szmal
MD5

2cc589a27044382be0ec55f23f36fa41
SHA1

4edc18c1b0e3558086e86d4e5c344fc9bed8d97c
SHA256

d05dd87b7ce909f8f3f85607f9546bcbe1168a507955c4d504d8c83f02d9a909
SHA512

baf948e4257cda2a0c30e9663448e884d40d844cc0f15cb64a9a2ccc40c12d1bdf1b5808d80b19c0f401478504468669d44edcdf0153f88d1b3ceb3303656045
SSDEEP

49152:C/JouIj6nHI8l5lK7g/JLyDX7YVDazqMdubv+JrncVzgH+60gF4SLF+pHGwhESAG:K

Score

10^/10

quasar v15.4.5 | seroxen defense_evasion discovery persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Uni.bat

Resource

win7-20240903-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Uni.bat

Resource

win10v2004-20241007-en

quasar v15.4.5 | seroxen defense_evasion discovery persistence spyware trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.4.5 | SeroXen

C2

map-casio.gl.at.ply.gg:57345

Mutex

93520150-37f5-4b86-9682-b07d73e61808

Attributes

encryption_key
E9B24DC5A9D33874B0626389429DD789286126DC
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
230
startup_key
$sxr-seroxen

Targets

- Target
  
  Uni.bat
- Size
  
  10.4MB
- MD5
  
  2cc589a27044382be0ec55f23f36fa41
- SHA1
  
  4edc18c1b0e3558086e86d4e5c344fc9bed8d97c
- SHA256
  
  d05dd87b7ce909f8f3f85607f9546bcbe1168a507955c4d504d8c83f02d9a909
- SHA512
  
  baf948e4257cda2a0c30e9663448e884d40d844cc0f15cb64a9a2ccc40c12d1bdf1b5808d80b19c0f401478504468669d44edcdf0153f88d1b3ceb3303656045
- SSDEEP
  
  49152:C/JouIj6nHI8l5lK7g/JLyDX7YVDazqMdubv+JrncVzgH+60gF4SLF+pHGwhESAG:K
Score

10^/10

quasar v15.4.5 | seroxen defense_evasion discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Hidden Window

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarv15.4.5 | seroxendefense_evasiondiscoverypersistencespywaretrojan

© 2018-2024

Terms | Privacy