General
-
Target
33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
-
Size
72.2MB
-
Sample
241209-v9ez2avrcz
-
MD5
33c2adebfe2c3acedfb34ffff8151b7d
-
SHA1
8e93f7ecafa92017a7d528423574ab5cfeec754a
-
SHA256
773e13fffd0842e717ce55e2a678da37123c55186f9c92460c671261b1654ffd
-
SHA512
6f545b4da55412ec78de6d1c3bddbcc6bb857b7d13b15fe4bb832259dbe1842d44a02b46395233c23ca57abd34239226a60c9f7ee26fcf82ba383a836f8d61ad
-
SSDEEP
1572864:yIWs/6+mI5n17YTIytz8ATFiQiFGaaoE13gIFxXtzM/zMfCOA6Z:ssJmIBiTvR8UFiQYGvoq35FVEeCOr
Malware Config
Extracted
quasar
1.4.1
Office04
167.71.56.116:22269
3470ac31-30aa-4cf6-ab0a-1ed0dd64656f
-
encryption_key
33E08519CDBEF59C54E93052681A76D1969C659E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
-
Size
72.2MB
-
MD5
33c2adebfe2c3acedfb34ffff8151b7d
-
SHA1
8e93f7ecafa92017a7d528423574ab5cfeec754a
-
SHA256
773e13fffd0842e717ce55e2a678da37123c55186f9c92460c671261b1654ffd
-
SHA512
6f545b4da55412ec78de6d1c3bddbcc6bb857b7d13b15fe4bb832259dbe1842d44a02b46395233c23ca57abd34239226a60c9f7ee26fcf82ba383a836f8d61ad
-
SSDEEP
1572864:yIWs/6+mI5n17YTIytz8ATFiQiFGaaoE13gIFxXtzM/zMfCOA6Z:ssJmIBiTvR8UFiQYGvoq35FVEeCOr
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1