quasar | 61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb

General

Target

Obekräftade 642667.crdownload
Size

38.2MB
Sample

241203-n9yzksznaq
MD5

43ec213ae2f483ad0571615217a015f5
SHA1

3249d4183d62599ee7352261af8c9f9fbfc41cab
SHA256

61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb
SHA512

e590d60c4ea504816c611f0417d72622fec2e8a496da2b61e31911e6bed82f5765501907e806b35dd4b28d7c759d9b8294cb462a84997bb8e984a7acd866350f
SSDEEP

786432:jyIjkDNnx2+2NYTb4opWJ2E0R53QVnGajZAS/VNEEgrWpngLHYdXyXJW:TkDNnxV2iTb4mVE0RpsgUNBC+oSO8

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v3.0.0 | Slave

C2

147.185.221.17:25792

Mutex

92d55a7d-fa9d-4687-a639-1c17ad82e127

Attributes

encryption_key
AAADD171AFB4583A86B8E61A97433E10C4015A71
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000

Targets

- Target
  
  X-Worm-V5-main/XWorm V5.0/Fixer.bat
- Size
  
  122B
- MD5
  
  2dabc46ce85aaff29f22cd74ec074f86
- SHA1
  
  208ae3e48d67b94cc8be7bbfd9341d373fa8a730
- SHA256
  
  a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
- SHA512
  
  6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
Score

5^/10
- Drops file in System32 directory
behavioral1
- Target
  
  X-Worm-V5-main/XWorm V5.0/XWorm V5.0.exe
- Size
  
  10.4MB
- MD5
  
  227494b22a4ee99f48a269c362fd5f19
- SHA1
  
  d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
- SHA256
  
  7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
- SHA512
  
  71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0
- SSDEEP
  
  196608:z59nhcOWSxxgQHl2np1eY5J5itQaZWtU8i/MJ:zRRWQBQnpji1W+8i/
Score

7^/10

agilenet discovery
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
behavioral2
- Target
  
  X-Worm-V5-main/XWorm V5.0/XWorm V5.0.exe.config
- Size
  
  183B
- MD5
  
  66f09a3993dcae94acfe39d45b553f58
- SHA1
  
  9d09f8e22d464f7021d7f713269b8169aed98682
- SHA256
  
  7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
- SHA512
  
  c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
Score

3^/10

discovery
behavioral3
- Target
  
  X-Worm-V5-main/XWorm V5.0/XWormLoader.exe
- Size
  
  8.6MB
- MD5
  
  2aff4d1edefd1017408f77bbf15ef6c2
- SHA1
  
  cfc1827c2e45802cbfe931ab66dea427c512a6ab
- SHA256
  
  7de8a4b7288fe71fdb8fa2eb453059937ce5ff998e117dc79c8d68de7e0f9315
- SHA512
  
  a456dba519592187461596f0ceb1e008e0a9a974a79698acda5bb1cfe000b99fd1bcafe140a022a40db6b447cb70e335dba137500a4f05e68299a3da758f9756
- SSDEEP
  
  196608:6HwveWmitDQXAWhg8tlFPreKofxWJHVP3u8CkXt0rQMJB4Eo:IkmitD85hgAtop81Hh0sUBk
Score

10^/10

quasar v3.0.0 | slave defense_evasion discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Drops file in System32 directory
behavioral4