quasar | 6f08d8eb4044dd872b38ff8d6a2b6e86efa9f7d777cb1b09e1f575bfed9467a2 | Triage

Submit
Reports

Overview

overview

Static

static

Lose2himato.exe

windows7-x64

1

Lose2himato.exe

windows10-2004-x64

Sharing

General

Target

Lose2himato.exe
Size

135.3MB
Sample

241208-xx84fsxlhk
MD5

30b32bc02534355b906a37951b458808
SHA1

61eada367af3558e45c8583e174cdef13e68b93b
SHA256

6f08d8eb4044dd872b38ff8d6a2b6e86efa9f7d777cb1b09e1f575bfed9467a2
SHA512

8735788ded8836ac0b5be86356263cba2899367964ca8711a8d89b84cecf8c50be799274bfae5d4c6b8bc5d4dea7f04f836f10bf230041677c61977299887839
SSDEEP

786432:zl5HNB9mAbrDMZBfPPgs9TFMd15DeSqVO0EQWW2IxEm+KoZd7APUF85n9wwTtLwG:J5gOsPfmZ0/EmREdEPUF85nSUgTI

Score

10^/10

quasar office04 defense_evasion discovery evasion ransomware spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Lose2himato.exe

Resource

win7-20241023-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

Lose2himato.exe

Resource

win10v2004-20241007-en

quasar office04 defense_evasion discovery evasion ransomware spyware trojan

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

himato667-58401.portmap.host:58401

Mutex

0e2bc079-3316-407c-a26f-115195d9fe5b

Attributes

encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  Lose2himato.exe
- Size
  
  135.3MB
- MD5
  
  30b32bc02534355b906a37951b458808
- SHA1
  
  61eada367af3558e45c8583e174cdef13e68b93b
- SHA256
  
  6f08d8eb4044dd872b38ff8d6a2b6e86efa9f7d777cb1b09e1f575bfed9467a2
- SHA512
  
  8735788ded8836ac0b5be86356263cba2899367964ca8711a8d89b84cecf8c50be799274bfae5d4c6b8bc5d4dea7f04f836f10bf230041677c61977299887839
- SSDEEP
  
  786432:zl5HNB9mAbrDMZBfPPgs9TFMd15DeSqVO0EQWW2IxEm+KoZd7APUF85n9wwTtLwG:J5gOsPfmZ0/EmREdEPUF85nSUgTI
Score

10^/10

quasar office04 defense_evasion discovery evasion ransomware spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Disables Task Manager via registry modification
  evasion
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Account Manipulation

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Account Manipulation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Indicator Removal

Network Share Connection Removal

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Permission Groups Discovery

Local Groups

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

behavioral2

quasaroffice04defense_evasiondiscoveryevasionransomwarespywaretrojan

© 2018-2024

Terms | Privacy