quasar | efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580 | Triage

Submit
Reports

Overview

overview

Static

static

1

Image Logger.bat

windows10-2004-x64

Image Logger.bat

windows10-ltsc 2021-x64

Image Logger.bat

windows11-21h2-x64

Sharing

General

Target

Image Logger.bat
Size

12.8MB
Sample

241226-n8qxksvnc1
MD5

a2e3e4286e8b22b3b021a6706b899dd7
SHA1

e6179204735421c3927f27c13f9751af1dce9bd2
SHA256

efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
SHA512

3ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
SSDEEP

49152:JZHKpAhg6/Ri76PuM0gcqQP+GBRa1SgA+754EU1kOeTUliFDvnrNqjdsusoj8nNc:e

Score

10^/10

quasar v15.6.3 | xen defense_evasion discovery spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Image Logger.bat

Resource

win10v2004-20241007-en

quasar v15.6.3 | xen defense_evasion spyware trojan

windows10-2004-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

Image Logger.bat

Resource

win10ltsc2021-20241211-en

quasar v15.6.3 | xen defense_evasion discovery spyware trojan

windows10-ltsc 2021-x64

26 signatures

150 seconds

Behavioral task

behavioral3

Sample

Image Logger.bat

Resource

win11-20241007-en

quasar v15.6.3 | xen defense_evasion discovery spyware trojan

windows11-21h2-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v15.6.3 | xen

C2

studies-royal.at.ply.gg:31849

usa-departments.at.ply.gg:37274

category-in.at.ply.gg:42204

Mutex

bd62476d-8a2b-4e05-a8e5-68cc94baac4f

Attributes

encryption_key
AA41DD5506DCFCA6EE3BF934CC3C9319F80E5E10
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
5000
startup_key
$sxr-seroxen

Targets

- Target
  
  Image Logger.bat
- Size
  
  12.8MB
- MD5
  
  a2e3e4286e8b22b3b021a6706b899dd7
- SHA1
  
  e6179204735421c3927f27c13f9751af1dce9bd2
- SHA256
  
  efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
- SHA512
  
  3ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
- SSDEEP
  
  49152:JZHKpAhg6/Ri76PuM0gcqQP+GBRa1SgA+754EU1kOeTUliFDvnrNqjdsusoj8nNc:e
Score

10^/10

quasar v15.6.3 | xen defense_evasion spyware trojan discovery
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Hidden Window

Indicator Removal

Clear Windows Event Logs

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarv15.6.3 | xendefense_evasionspywaretrojan

behavioral2

quasarv15.6.3 | xendefense_evasiondiscoveryspywaretrojan

behavioral3

quasarv15.6.3 | xendefense_evasiondiscoveryspywaretrojan

© 2018-2024

Terms | Privacy