quasar | e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879 | Triage

Sharing

General

Target

Nowe zamówienie - 0072291855.pdf (243KB).com.exe
Size

3.7MB
Sample

241203-p8nb5awngx
MD5

96493f8a0252e4e492de924d83db5a8a
SHA1

09dad264469e86a858f0183ed6e5bfe2d53781f4
SHA256

e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879
SHA512

29d6192b4aae0af83fe15d015be5cf3e1b8832e154c6e847d71de1834c30421f435192490fc9f5b868c99e71f2bbdb92685582985ece2e7694d02799cd315b78
SSDEEP

49152:wBeT66BYzsKDeAo4hJFXMOqlI9XGhvPEpCaZKfpObuLkEnmnK0QnFRhe5+ET8QVY:TTF7GbIlDvPEpz4ptnHhK87nhUnIJb

Score

10^/10

quasar jekwu discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

JEKWU

C2

Zyg.ydns.eu:5829

Opy.ydns.eu:5829

Mutex

9c58b2ba-07eb-415a-b48b-21bbb68d32285e

Attributes

encryption_key
C5B555A83D127A9553D4FB1FCECB35CE8E91A447
install_name
outlooks.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Outlooks
subdirectory
WindowsUpdates

Targets

- Target
  
  Nowe zamówienie - 0072291855.pdf (243KB).com.exe
- Size
  
  3.7MB
- MD5
  
  96493f8a0252e4e492de924d83db5a8a
- SHA1
  
  09dad264469e86a858f0183ed6e5bfe2d53781f4
- SHA256
  
  e14c8cd3613b5d94cd5ca407fd329b61954add690c779edbd41b362d035f7879
- SHA512
  
  29d6192b4aae0af83fe15d015be5cf3e1b8832e154c6e847d71de1834c30421f435192490fc9f5b868c99e71f2bbdb92685582985ece2e7694d02799cd315b78
- SSDEEP
  
  49152:wBeT66BYzsKDeAo4hJFXMOqlI9XGhvPEpCaZKfpObuLkEnmnK0QnFRhe5+ET8QVY:TTF7GbIlDvPEpz4ptnHhK87nhUnIJb
Score

10^/10

quasar jekwu discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarjekwudiscoveryexecutionspywaretrojan

behavioral2

quasarjekwudiscoveryexecutionspywaretrojan