quasar | 93c17b482bf0bf274580744e57b27c70ffbbe1d14bb0c312e66f62e99ffa7c60 | Triage

Sharing

General

Target

93c17b482bf0bf274580744e57b27c70ffbbe1d14bb0c312e66f62e99ffa7c60.zip
Size

33.7MB
Sample

241220-e7ey9a1jdn
MD5

1d71ab9bbdce669eb6b08577cb3ede5d
SHA1

b4722e61a81a49cc4fb4285670e4bafb813167f8
SHA256

93c17b482bf0bf274580744e57b27c70ffbbe1d14bb0c312e66f62e99ffa7c60
SHA512

48ed195ade297a58f94a91a4cb4c94f4b65cb81aefe930b4f1b3bf923d312346c19a1aefd8b74754517109f08efdf2b7c2d6f20392291f0562f779d24d71b7f2
SSDEEP

786432:Tgi48KFglmpGp2Ey3CuYTRb4lFBXDorLwDUzZs+uCZiHBC:Tg/gyGp2E5ukb2dorUU2+uRHI

Score

10^/10

quasar slimo defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slimo

C2

51.15.17.193:4782

Mutex

e318fab0-811e-40a6-b0aa-1e21015956c8

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  slimo-qt-windows/slimo-cli.exe
- Size
  
  1.9MB
- MD5
  
  6cd2e4e2949cf1c0b010267152d33c60
- SHA1
  
  c7a89b1976165f3b9f94625ebcf52c330e24b027
- SHA256
  
  26ba8b99481e5e4285b83ba8f311f6955e3d8610b85734dbcb8d63350c377495
- SHA512
  
  af54ffb5fecafe471470708fcdf5498a60db6cd2f55ebaa9d5c89b8fd0895237bb9dd52463ac8326855d0be6b0393554c77ff73aacf2d0264886142e11de431b
- SSDEEP
  
  49152:zHl+v0Dk7LBh4+Jyh5ghKvN9QuwiMMHSBtIsVg+hEIG6t:Q5oHY
Score

1^/10
behavioral1 behavioral2
- Target
  
  slimo-qt-windows/slimo-qt.exe
- Size
  
  101.4MB
- MD5
  
  8fe43b09d853202c4ff8f7d66d17adc5
- SHA1
  
  58b1d97d18c60a0769e66e4fcd1fb9756071a15c
- SHA256
  
  2b6b5c04c584c7d6dc72a5be6101c204d934b6502e28d1ed1514f757daaab50f
- SHA512
  
  1101f11a2c39c5a35fd1421c36b31ab20d21557e2eafe1085ef2f4c0a8df71404e6acb6adab551cce5fd68205e142644d8653be9b90248fb3f020422be240134
- SSDEEP
  
  393216:C4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2K:CKRVQxhu0P8Lq1LEvxOOx5S4
Score

10^/10

quasar slimo defense_evasion execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- System Binary Proxy Execution: Regsvcs/Regasm
  Abuse Regasm to proxy execution of malicious code.
  defense_evasion
- Drops startup file
- Executes dropped EXE
behavioral3 behavioral4
- Target
  
  slimo-qt-windows/slimo-tx.exe
- Size
  
  3.3MB
- MD5
  
  4457d1658c982cea34fdce371fe92c91
- SHA1
  
  adf4e7fcf11fa92fa6fc785fd39fb0ac289ed76d
- SHA256
  
  28b16c9359930ec0aa87030bf9dea860d06de6b91bb43f368bbcc0e913cb1fbb
- SHA512
  
  e9645002d3446d016f8f8305bbdb10bb5195dc2051027c30224bb36acb9e9d0f3ab5b0f0f928426575b7fbafd673b4f16221f1f53415bcefd1c5ba257bfaa0cd
- SSDEEP
  
  49152:d532eRJhpC7n5UvlTR1d4k/zQQjkmF6jwtl2mMpulxYY9Tdj0p6arDwl7HJri0T/:qkm5q1PrtH3Mb
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

Regsvcs/Regasm

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

quasarslimodefense_evasionexecutionspywaretrojan

behavioral5

behavioral6