quasar | 1c653fcc4e7f5bb0ffbc2281676b4bc12b3e1f3034085e1b13c904e2ebb89e8f | Triage

Submit
Reports

Overview

overview

Static

static

1

Shadow-Gra...er.bat

windows7-x64

7

Shadow-Gra...er.bat

windows10-2004-x64

Sharing

General

Target

Obekrftade826494.crdownload
Size

8.1MB
Sample

241203-pj9ttsvngw
MD5

4b0a16b9b553578a6e9e5a3d9d4b439c
SHA1

898d3be293dfbd73b1e5a7a0bda9a1c28c3a7009
SHA256

1c653fcc4e7f5bb0ffbc2281676b4bc12b3e1f3034085e1b13c904e2ebb89e8f
SHA512

3db502d8836a2779794729b044ebb01b85733e2f9c981bd200d9ffa345f4fbca92a56446e93b366ae4c5959a38244db6cc483f679cdd65fa588aaa304e90bbfe
SSDEEP

196608:i9Au+kcUH1nW4OwP7rNDA16XXQa37hLKksCduwCvXqSSN:GtALwP71AkXXQm7hKsWGN

Score

10^/10

quasar v2.2.6 | tinsler defense_evasion discovery spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Shadow-Grabber--main/Shadow-Stealer.bat

Resource

win7-20240903-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Shadow-Grabber--main/Shadow-Stealer.bat

Resource

win10v2004-20241007-en

quasar v2.2.6 | tinsler defense_evasion discovery spyware trojan

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.6 | Tinsler

C2

throbbing-mountain-09011.pktriot.net:22112

167.71.56.116:22112

throbbing-mountain-09011.pktriot.net:5050

Mutex

cf16a257-7d89-4296-8384-8fca3dbb568f

Attributes

encryption_key
045F98A287DD47B8B5C074D234995A2C5A913042
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
1000

Targets

- Target
  
  Shadow-Grabber--main/Shadow-Stealer.bat
- Size
  
  12.5MB
- MD5
  
  cf5b412ffc3ce43cd7ddce602fc67f56
- SHA1
  
  221dfcd0868158f676c472d8a5bcf9647f0c7d51
- SHA256
  
  84ba648cfdd5c2ae8d3292fcc1702e385a1a26e915bd7275b5fde776212f2724
- SHA512
  
  695489d3b02863c382dc4b044bd80825b3f46eadfe4647619a0036da7ab3405b7925e89a457b19ee57995a59dcf8d5f9df237cd4d5d59a6cee3914aeaee2a8ef
- SSDEEP
  
  49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b
Score

10^/10

quasar v2.2.6 | tinsler defense_evasion discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Hidden Window

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarv2.2.6 | tinslerdefense_evasiondiscoveryspywaretrojan

© 2018-2024

Terms | Privacy