quasar | abe37950f37a219af0a4fce980a9b5e0a765b91cc4155b526a0bff714d3181c5 | Triage

Sharing

General

Target

25ae2a8e59da886dbc3192b12e000ffa.bin
Size

2.8MB
Sample

241210-bdff5sxphz
MD5

cd971f96327bdf6634e9b4dae9789489
SHA1

a6d450d104bae73fcf7f78238ea90991ed3cea0f
SHA256

abe37950f37a219af0a4fce980a9b5e0a765b91cc4155b526a0bff714d3181c5
SHA512

93be3da538cae663bf9fc350f78acbfe479d5d0eeddc64a57883c68b86920342adbd8edb15e502feef7be2abe1cf45b6b544b7356479c9deb1c372ba6ddf1fa1
SSDEEP

49152:SeeL24hH8BVZ0pIVO20WY+bQwb1U07VoWVW3Q1J4HcpxfBbdOAqdeBfRKdA58O7I:SeeL24qBYpMHY+kwdoWVW3QTQolMdeRo

Score

10^/10

quasar office04 discovery evasion spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.200.148.155:6060

Mutex

4b3820e0-d123-49d9-b51e-3c4daa4f6874

Attributes

encryption_key
F8879E9B26846C57C99B6F152F74703E1CC15B8B
install_name
SecurityHealthSystray.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SecurityHealthSystray.exe
subdirectory
SubDir

Targets

- Target
  
  d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4.exe
- Size
  
  3.0MB
- MD5
  
  25ae2a8e59da886dbc3192b12e000ffa
- SHA1
  
  c384fbee5a29be18571d293c1e20a36d044bd86a
- SHA256
  
  d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4
- SHA512
  
  246a2948f880231fe597a4c6cfb1f8acbbc7173f73752532dd2049697cd4165c6d1e966a1a598d260053e1f4aeebf0472ffedc4aec56c8233899c965c7fc6736
- SSDEEP
  
  49152:auZju5PuuzE2wJMTFuUPHghJW5eqdCMuWnLBuU5ZHWIcCm:xjuFumw0Fu2gho5e4nLB5L
Score

10^/10

quasar office04 discovery evasion spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoveryevasionspywaretrojan

behavioral2

quasaroffice04discoveryevasionspywaretrojan