quasar | 5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6 | Triage

Submit
Reports

Overview

overview

Static

static

1

5182c93d80...f6.exe

windows7-x64

5182c93d80...f6.exe

windows10-2004-x64

Sharing

General

Target

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6
Size

3.7MB
Sample

241203-lw4xkavrgn
MD5

cd765738ca380479232b3742bec4681a
SHA1

72183452d01eabefa4a1dc4e4702df04aca6da4e
SHA256

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6
SHA512

047266f5d2f30661857c501c705a18128082551498351eee28600bfb051e276535e00abfa0dd30acbcdb01e9238958f06ca934abb094ee03666cae51475ed6f5
SSDEEP

49152:sBe/wR+kPCndafDZ7MTpxKQ4vWcucxZIp6/Y6HhxVetUw5WxGea2rkoVAAVsK5Iw:/namVxrcxys/XhxsuwEUeFzyRM

Score

10^/10

quasar code discovery execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe

Resource

win7-20240729-en

quasar code discovery execution spyware trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe

Resource

win10v2004-20241007-en

quasar code discovery execution spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

CODE

C2

twart.myfirewall.org:9792

rency.ydns.eu:5287

wqo9.firewall-gateway.de:8841

Mutex

02351e291-5d041-4fa37-932c7-869aeiQec514992

Attributes

encryption_key
3145298725BA5E0DD56E87FFE3F8898EA81E6EDA
install_name
workbook.exe
log_directory
Logs
reconnect_delay
6000
startup_key
workbook
subdirectory
SubDir

Targets

- Target
  
  5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6
- Size
  
  3.7MB
- MD5
  
  cd765738ca380479232b3742bec4681a
- SHA1
  
  72183452d01eabefa4a1dc4e4702df04aca6da4e
- SHA256
  
  5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6
- SHA512
  
  047266f5d2f30661857c501c705a18128082551498351eee28600bfb051e276535e00abfa0dd30acbcdb01e9238958f06ca934abb094ee03666cae51475ed6f5
- SSDEEP
  
  49152:sBe/wR+kPCndafDZ7MTpxKQ4vWcucxZIp6/Y6HhxVetUw5WxGea2rkoVAAVsK5Iw:/namVxrcxys/XhxsuwEUeFzyRM
Score

10^/10

quasar code discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarcodediscoveryexecutionspywaretrojan

behavioral2

quasarcodediscoveryexecutionspywaretrojan

© 2018-2024

Terms | Privacy