quasar | 7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f | Triage

Sharing

General

Target

7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
Size

288KB
Sample

241221-cagepszjat
MD5

80738ce6e30247c37ee36568c43c8a5f
SHA1

23e857927a17559cff000d3cde52d2fdf4b99cc9
SHA256

7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
SHA512

ea2a6a84ac11eb7631fb04c8fb6c30aa3aa3238dae674bfee5e859296a0f3f25e0ef9d44ee7b3550c9cae44323363e16d882d5be1b305e19408e0a2d05b24c48
SSDEEP

6144:k7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkvn:alJtTF9zVGkllbk/

Score

10^/10

quasar office04 discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

hiyashi-64129.portmap.io:64129

Mutex

PjIwWrgtTiUxldOLKM

Attributes

encryption_key
NN6uwWE7m1kB5ep5QSu8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
SubDir

Targets

- Target
  
  7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
- Size
  
  288KB
- MD5
  
  80738ce6e30247c37ee36568c43c8a5f
- SHA1
  
  23e857927a17559cff000d3cde52d2fdf4b99cc9
- SHA256
  
  7e3c88b63ad3aa607cc07c79c05075eec2832c9a4ccb03e0005620759081f31f
- SHA512
  
  ea2a6a84ac11eb7631fb04c8fb6c30aa3aa3238dae674bfee5e859296a0f3f25e0ef9d44ee7b3550c9cae44323363e16d882d5be1b305e19408e0a2d05b24c48
- SSDEEP
  
  6144:k7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkvn:alJtTF9zVGkllbk/
Score

10^/10

quasar office04 discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoverypersistencespywaretrojan

behavioral2

quasaroffice04discoverypersistencespywaretrojan