quasar | cb6e5498783057d293cdd184505d725b2c0e9ffabaafd9faebc4d156c36533b8

Sharing

Copy URL

Twitter E-mail

General

Target

awp.rar
Size

13.3MB
Sample

241228-y7119s1pe1
MD5

714a60bfe0d9e265969a0f8e7fb42c13
SHA1

40c576f38af490b5cd00a8a48173f735a74ac98a
SHA256

cb6e5498783057d293cdd184505d725b2c0e9ffabaafd9faebc4d156c36533b8
SHA512

81786e0f15b151cc01b9d139efe01df429a703d5f7c5aafed3c7dc605e70c694463593be0cc5e23fe7cde8ff284b1eab6a50dbb99d3086fb17f74993c5799b7b
SSDEEP

393216:sC7dez0C2wGWHUCrc8mrf3dQ2txfZspyzjw1Qdj5zb9y:hIsWHM8mbdptHML1AtzBy

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

AWP

re-drunk.gl.at.ply.gg:14309

Mutex

220e3868-c992-4d03-83a8-2affbb617e80

Attributes

encryption_key
6C0A2B10B7809180680C7DAF60E1C0D9CD0AF5ED
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
ui

Targets

- Target
  
  pass is 1/Microsoft.Extensions.FileSystemGlobbing.dll
- Size
  
  44KB
- MD5
  
  470ad714b6cb486c3a64a918e72497a7
- SHA1
  
  13583e2627ff47fa64c192d8f91e06c4472e6cda
- SHA256
  
  ed0855b522f09b5a9ddbb85de62042c25e07d10044086da8620c845de41e473c
- SHA512
  
  6237af61b1f592fd10692906024fc970cd41f3db971c2a869aed392ad686a904edb19dae81cc247b691a26a7e5e554affdf0853b1e29938d6cea799e20343c77
- SSDEEP
  
  768:m0PO7gRE3x5o7UP04wqgYtqPRw02KO7I9Yfwbhgv5NFcEn9zT8n3:m02GE3xOwP04wqgYtm2nQY4Ngv5NFT96
Score

1^/10
behavioral1 behavioral2
- Target
  
  pass is 1/Microsoft.Web.WebView2.Core.dll
- Size
  
  575KB
- MD5
  
  ae3a2648bf76a4dfc83d5e0dcb68f3d4
- SHA1
  
  9c33e130e4f071f700321312317d0d66b2b3d8a4
- SHA256
  
  8ce541fab9d6334a97b6981e2ff1a72aa7979df913e93cb5be1536de0667cc5d
- SHA512
  
  8bb3dbb95386ccc5450fe0fd0853382092af8660009112646dca13f934e766b503fa7d9c1c91322326e0c9bae0df9643cbb2f101f256615a3b66e89d93e92aa5
- SSDEEP
  
  12288:emV6hdWrpQ322vy+uFKcDguRFNEMFeu+imQ269pRFZNIEJdIEY0lxEIPrEIgcvLz:j/
Score

1^/10
behavioral3 behavioral4
- Target
  
  pass is 1/Microsoft.Web.WebView2.WinForms.dll
- Size
  
  37KB
- MD5
  
  0582173917034dc688d21a0307110809
- SHA1
  
  ac3ffb19925eee8edc4568b1715bf873784814c4
- SHA256
  
  4921c17b3cf8225a380ab1a07682fa57fcb50dc42669a010e8acb28739f418d4
- SHA512
  
  3da9b59ba73a151db587e24aea79153b607984d6a48fdce769d77b47ad72eb66c412e026363abcb096ca562a1938a260c8de4a81774bef83278e117ef4b79984
- SSDEEP
  
  768:fHNav/17oaKzbvttZDgcEST3p4Jjrjh2jJ+SG2au8vxJKia5/Zi/ZG4Kju6b+5ol:1avYvttZDgcEST3p4JjrjaJ+SG2au4xo
Score

1^/10
behavioral5 behavioral6
- Target
  
  pass is 1/Microsoft.Web.WebView2.Wpf.dll
- Size
  
  81KB
- MD5
  
  c7984acb66b1dd21f9f88113f7f295be
- SHA1
  
  4d6cc744c3ce66a79f5fe05913909919b6042d28
- SHA256
  
  d90b35a7804412550364088d8dd0402422d1ba23c8f0b2a845c043d032dc0304
- SHA512
  
  364fced6b4e3abb8dd40c49380aec218da394f485a1eb5c8f82d994d1fbcd7e08616e306fb06f8d0b198ec2ff7f0f580b8fd6d4586da4414d5ba237c5595e99c
- SSDEEP
  
  1536:6VzQfLOHAjUIOL3VwnhZ8fYSDHf9WyER30mpc4Jjr4YeUq9GhVU0o2zQvUuakWUp:Wcfyg4IjhZ8TDHf9c30mpc4Jjr4YeUqT
Score

1^/10
behavioral7 behavioral8
- Target
  
  pass is 1/UI.dll
- Size
  
  13.5MB
- MD5
  
  1b626d41591cf75d4abf0b4ab19aff5e
- SHA1
  
  a31cc603496cff04b48fb20bd8b1daecf0fa2422
- SHA256
  
  06086a415130d6af88acc2cae9803129257901552335adb35d7ae3c717a0bebf
- SHA512
  
  55758cb2d1f9d82e78f8373cb2d2548de97a6d6999ab0f4c1e4991cb7fc4c81f3b9455b8f9200efb4af34a6c467b24926116ec5bd8d0d55c26df6a630c34b65f
- SSDEEP
  
  393216:CR49RNvgubUNaugC+eJJFPU69DNBp3iU700U:CeDyUUeWJDdRNU
Score

7^/10

themida
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  pass is 1/awp 2.exe
- Size
  
  154KB
- MD5
  
  f585a065579d8fac23be46e6d56d71cf
- SHA1
  
  058b15052f71414c21ab6725aca6d363f0bb03e7
- SHA256
  
  d55dd383de4fdd0bbe76f87940c528e8e03dc96ee0f4aba47aab86f3658098d8
- SHA512
  
  685bcfe7caa966bb14761519a83018b42932ce750a80229521ce8bb22572d7b137a05f51491816ebd307a4e557bcb51498f3369fca2618a8c86caf930d2136b2
- SSDEEP
  
  3072:6iS4omp03WQthI/9S3BZi08iRQ1G78IVn2sbS7cJ68ltjfl:6iS4ompB9S3BZi0a1G78IVAcUctD
Score

1^/10
behavioral11 behavioral12
- Target
  
  pass is 1/driver (run to map it).exe
- Size
  
  3.1MB
- MD5
  
  b854dc5efcf3779f9cc0db2161c4f5da
- SHA1
  
  3842b9fc6d342482bd674e52bdc536921e1f1a6a
- SHA256
  
  6fd1a64cabca8ccb61cacdc5b9c28726068987e23ba89c9ba387cb2bb8c4dee7
- SHA512
  
  7de23a24b160e35da92cfb903cbe92f3745bbc1bb5c13b81c0bfc08f7ac192a10ed2780f546425abd8dd8c3056172e8836bc35015453ff23dbd75b60f46cf418
- SSDEEP
  
  49152:mvQt62XlaSFNWPjljiFa2RoUYICCX1JuLoGdoCvTHHB72eh2NT:mvc62XlaSFNWPjljiFXRoUYICCI4
Score

10^/10

quasar awp spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Themida packer

Suspicious use of NtSetInformationThreadHideFromDebugger

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14