General
-
Target
https://gofile.io/d/5m5iIa
-
Sample
241226-t2lxya1kfr
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/5m5iIa
Resource
win10v2004-20241007-en
Malware Config
Extracted
quasar
1.4.1
Office04
himato667-58401.portmap.host:58401
0e2bc079-3316-407c-a26f-115195d9fe5b
-
encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
https://gofile.io/d/5m5iIa
-
Quasar family
-
Quasar payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Account Manipulation
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Discovery
Browser Information Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1