quasar | f962beec9703a522fae680c30ec2b7bc44565e431128bc46d1410e476b564962 | Triage

Submit
Reports

Overview

overview

Static

static

Lose2himatoBeta.exe

windows7-x64

1

Lose2himatoBeta.exe

windows10-2004-x64

Sharing

General

Target

Lose2himatoBeta.exe
Size

135.3MB
Sample

241129-qz9pfaykfx
MD5

15498caff53ec11af87a73319367838c
SHA1

4a45433a0a513119418ed44f4c475151a43ba923
SHA256

f962beec9703a522fae680c30ec2b7bc44565e431128bc46d1410e476b564962
SHA512

aaa86e7258f11329cf9853d4dec64e7b891dc139fc8dd1133e2229b0987494ad4191d9663cc3cf5c90a4a99e8ccca86171d8b3c12f09885ca751e4bdd2fc2430
SSDEEP

786432:zl5HNB9pAbrDMZBfPPgs9TFMd15DeSqVO0EQWW2IxEm+KoZd7APUF85n9wwTtLwd:J5HOsPfmZ0/EmREdEPUF85nSUgTX

Score

10^/10

quasar office04 defense_evasion discovery evasion ransomware spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Lose2himatoBeta.exe

Resource

win7-20241010-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

Lose2himatoBeta.exe

Resource

win10v2004-20241007-en

quasar office04 defense_evasion discovery evasion ransomware spyware trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

himato667-58401.portmap.host:58401

Mutex

0e2bc079-3316-407c-a26f-115195d9fe5b

Attributes

encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  Lose2himatoBeta.exe
- Size
  
  135.3MB
- MD5
  
  15498caff53ec11af87a73319367838c
- SHA1
  
  4a45433a0a513119418ed44f4c475151a43ba923
- SHA256
  
  f962beec9703a522fae680c30ec2b7bc44565e431128bc46d1410e476b564962
- SHA512
  
  aaa86e7258f11329cf9853d4dec64e7b891dc139fc8dd1133e2229b0987494ad4191d9663cc3cf5c90a4a99e8ccca86171d8b3c12f09885ca751e4bdd2fc2430
- SSDEEP
  
  786432:zl5HNB9pAbrDMZBfPPgs9TFMd15DeSqVO0EQWW2IxEm+KoZd7APUF85n9wwTtLwd:J5HOsPfmZ0/EmREdEPUF85nSUgTX
Score

10^/10

quasar office04 defense_evasion discovery evasion ransomware spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Disables Task Manager via registry modification
  evasion
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Account Manipulation

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Account Manipulation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Network Share Connection Removal

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Permission Groups Discovery

Local Groups

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

behavioral2

quasaroffice04defense_evasiondiscoveryevasionransomwarespywaretrojan

© 2018-2024

Terms | Privacy