quasar | d467f2d14bc21c2b361a485fa45998ce431e1b1a57ab2de2da583eda108baba9

General

Target

dogger-qt-windows.zip
Size

32.7MB
Sample

241223-pq7caazlek
MD5

a4727e2be65d5329cc7ec679a6c693ae
SHA1

0994665381dced61dd6054aa83dd86125efc8a94
SHA256

d467f2d14bc21c2b361a485fa45998ce431e1b1a57ab2de2da583eda108baba9
SHA512

c6de3735dc20deca3bd959a0a2fbc8c3948f6dc8a6cc3be49133d6b92edf9b048504e4a82fbcc4173e709a9e9eac964dbf9c37888dace3758b04146282d3f1a0
SSDEEP

786432:Pgi48KFglmpGp2Ey3CuYTRb4lFBXDorLwDUzZsParVbRE/4g:Pg/gyGp2E5ukb2dorUU2PeP0

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SenshiDoger

C2

51.15.17.193:4782

Mutex

88fce838-f835-4ecf-a564-130da9d982d9

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.0.0

Botnet

SenshiDogger

C2

51.15.17.193:222

Mutex

QUCCAE2FMOnnAHmsrK

Attributes

encryption_key
en6dkTFiSUkKpYIDgQtE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
word
subdirectory
SubDir

Targets

- Target
  
  dogger-qt-windows/dogger-cli.exe
- Size
  
  2.0MB
- MD5
  
  8ec0cb1a3536a41842c6c848187f01ed
- SHA1
  
  4f99125bd35519eb52c8b1737823dfe5b1850663
- SHA256
  
  b441b7395cc59ee0e692f9dca627853a4e09a32d59564be75d560620e36c9715
- SHA512
  
  b966542a124e3a797505acb6697322c62d79ea0c9f031a5de61ed622c6bac32abc603d3254b48303fe4efcb13a79b43de065beebddcc6b754dad1bedbfeca428
- SSDEEP
  
  24576:xLhAoAIccJD6wHRWAJ00gyX2xylirEuq4WlFFlfr9NxPmKn6RUySZ:VhAdchv05yX2x+RuDWrFlJPYRUyS
Score

1^/10
behavioral1 behavioral2
- Target
  
  dogger-qt-windows/dogger-qt.exe
- Size
  
  83.6MB
- MD5
  
  3c607881c805adde0f4118f2fe5ea712
- SHA1
  
  72182ea0e810c18edec5dcca85efc277a51b91e7
- SHA256
  
  175a0366e2f3fa190b8f9a9a447f9b9efa679c36c394f3b8b0366e63c5df4cea
- SHA512
  
  9ebd2294651cb792450b1005a8c77806234b0dba4cdd09a92e1e2460a7170f27c2139c36af3c36202530cf8a24ddbe26f3425e5849a8053881fa214359289bfd
- SSDEEP
  
  393216:F4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2k:FKRVQxhu0P8Lq1LEvxOOx5Sq
Score

10^/10

quasar senshidoger senshidogger defense_evasion discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Binary Proxy Execution: Regsvcs/Regasm
  Abuse Regasm to proxy execution of malicious code.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral3 behavioral4
- Target
  
  dogger-qt-windows/dogger-tx.exe
- Size
  
  3.6MB
- MD5
  
  e26738feb17bc0eec9548a3fc831d89e
- SHA1
  
  508d27b6d43d93b85a3088a954436efcfc95240a
- SHA256
  
  cbdc3b3b4f12046d82892d5896c2dfdfec74afdd31a8fcd88591bf4a994895ac
- SHA512
  
  c47e579be314bc54af0710f4c6e50155c6098bca5b63ee91ffa3ae0e34ddbcf1bc76f9e480bd7120d2eb11ea1b2ef832375afe9eb06356c1b744cef8f57d44c2
- SSDEEP
  
  49152:zSgYFyeqz//DvplbcWPhAZ3n1kdXsHi1POi50f5ienWs0YGANMoywHhSC7LPz:zl1/DBaJumi5W2ANMoHHhrL
Score

1^/10
behavioral5 behavioral6