quasar | 4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903 | Triage

Sharing

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
Sample

241220-xbfvsaskek
MD5

b2f5d1078f1ed4eb8547f19b48dc5126
SHA1

657254864bfab24f564888e230da7f46266ecb4c
SHA256

4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903
SHA512

9f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882
SSDEEP

49152:vvxI22SsaNYfdPBldt698dBcjH1uRJ6ebR3LoGduTHHB72eh2NT:vvi22SsaNYfdPBldt6+dBcjH1uRJ6Y

Score

10^/10

quasar svchost discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

C2

7.tcp.eu.ngrok.io:10771

7.tcp.eu.ngrok.io:4782

Mutex

75e27cf2-023d-4d6d-9a0d-265f3da40a2e

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
300
startup_key
RuntimeBroker
subdirectory
System32

Targets

- Target
  
  FlashingSoftwarePRO.exe
- Size
  
  3.1MB
- MD5
  
  b2f5d1078f1ed4eb8547f19b48dc5126
- SHA1
  
  657254864bfab24f564888e230da7f46266ecb4c
- SHA256
  
  4f872140210a9253c0deb66a65f0c265a194e85d99a639f406d927a1ac760903
- SHA512
  
  9f850a289fd4ac3b7f1e94e8ec179b99e6ae9c78cd7ef164aefd87c4d14d9f7995c60596cc1720a17afe0fc40d32715886a9fd8695c11ac6941077e45528c882
- SSDEEP
  
  49152:vvxI22SsaNYfdPBldt698dBcjH1uRJ6ebR3LoGduTHHB72eh2NT:vvi22SsaNYfdPBldt6+dBcjH1uRJ6Y
Score

10^/10

quasar svchost spyware trojan discovery stealer
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarsvchostspywaretrojan

behavioral2

quasarsvchostdiscoveryspywarestealertrojan