General
-
Target
https://gofile.io/d/5m5iIa
-
Sample
241225-vzrk3sznbs
Malware Config
Extracted
quasar
1.4.1
Office04
himato667-58401.portmap.host:58401
0e2bc079-3316-407c-a26f-115195d9fe5b
-
encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
https://gofile.io/d/5m5iIa
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Account Manipulation
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
2Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1