quasar | e32128f875d42818741d274d447aacf2cdc15cc78a2ce0a393d629c4c90c779d | Triage

Sharing

General

Target

full.exe
Size

16.5MB
Sample

241212-t8ahgssldq
MD5

b59ee68c7c3ee01e14a7516628368046
SHA1

7a0cc3f080d1c2143e770d1fd50dc7f20bef9f7a
SHA256

e32128f875d42818741d274d447aacf2cdc15cc78a2ce0a393d629c4c90c779d
SHA512

3bfeb88f787da0784e3615d9b048589cfdc3492dcb24b8a508f6fb2d6170049b86049f0942e19041b5d262cde3479d338aa5fd6ce654c6a02b6b78590c738c6b
SSDEEP

196608:NKuXJJx9MbelAUHXTuj4KxT931ugenDTYe6cZK3F:cuXXx91WgDKd93renDTYz2K

Score

10^/10

quasar office04 discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

1.tcp.sa.ngrok.io:20545

Mutex

a888ff96-3c09-47a6-9d99-754a5cdfdb56

Attributes

encryption_key
4CD7E5DD87FFEF73A08F084E887E8F136321F5D7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  full.exe
- Size
  
  16.5MB
- MD5
  
  b59ee68c7c3ee01e14a7516628368046
- SHA1
  
  7a0cc3f080d1c2143e770d1fd50dc7f20bef9f7a
- SHA256
  
  e32128f875d42818741d274d447aacf2cdc15cc78a2ce0a393d629c4c90c779d
- SHA512
  
  3bfeb88f787da0784e3615d9b048589cfdc3492dcb24b8a508f6fb2d6170049b86049f0942e19041b5d262cde3479d338aa5fd6ce654c6a02b6b78590c738c6b
- SSDEEP
  
  196608:NKuXJJx9MbelAUHXTuj4KxT931ugenDTYe6cZK3F:cuXXx91WgDKd93renDTYz2K
Score

10^/10

quasar office04 discovery execution persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasaroffice04discoveryexecutionpersistencespywaretrojan