quasar | d1de96eb0ef1b083395dc7100ddd3e5e37355835149fd8cf2dc4720db7a1b687 | Triage

Submit
Reports

Overview

overview

Static

static

7

OnSenFoutD...ng.exe

windows11-21h2-x64

Sharing

General

Target

OnSenFoutDuReverseEngeneering.exe
Size

4.9MB
Sample

241208-wjqvaawkej
MD5

1e208c0fc7669daded9f6478094cca07
SHA1

50aa2aaf9497d3330ecbff4606de70b5fd06d09e
SHA256

d1de96eb0ef1b083395dc7100ddd3e5e37355835149fd8cf2dc4720db7a1b687
SHA512

d76d53d8e34bdeec1f957681989348fec1caf66a9b085f017bc64c69dff8cb5f49848bae1aa57d12fc9d076cf021b4b37e6ca76600a626f27368b54e70a72b52
SSDEEP

98304:T5eJtRKiXcWxR4ObkkYdNsP83DqAnFNVxWVZxsNu11CjTLmzFUzvRt:o/B4Ob+NGGCVZxGysLmJSt

Score

10^/10

quasar 4454q discovery evasion spyware themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

OnSenFoutDuReverseEngeneering.exe

Resource

win11-20241007-en

quasar 4454q discovery evasion spyware themida trojan

windows11-21h2-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

4454q

C2

ahhahahahhaha-31079.portmap.host:31079

Mutex

044ac41e-c0fb-4dd7-af9f-e74094c6a6a7

Attributes

encryption_key
055736E72537AC04021AC76ED3781A1BA2638909
install_name
msedge.exe
log_directory
lggs
reconnect_delay
3000
startup_key
Java Update Scheduler
subdirectory
5412

Targets

- Target
  
  OnSenFoutDuReverseEngeneering.exe
- Size
  
  4.9MB
- MD5
  
  1e208c0fc7669daded9f6478094cca07
- SHA1
  
  50aa2aaf9497d3330ecbff4606de70b5fd06d09e
- SHA256
  
  d1de96eb0ef1b083395dc7100ddd3e5e37355835149fd8cf2dc4720db7a1b687
- SHA512
  
  d76d53d8e34bdeec1f957681989348fec1caf66a9b085f017bc64c69dff8cb5f49848bae1aa57d12fc9d076cf021b4b37e6ca76600a626f27368b54e70a72b52
- SSDEEP
  
  98304:T5eJtRKiXcWxR4ObkkYdNsP83DqAnFNVxWVZxsNu11CjTLmzFUzvRt:o/B4Ob+NGGCVZxGysLmJSt
Score

10^/10

quasar 4454q discovery evasion spyware themida trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasar4454qdiscoveryevasionspywarethemidatrojan

© 2018-2024

Terms | Privacy