quasar | 832c978576aca4163e3c3127e622316794836b1e634b4128797fc9493ff57105 | Triage

Sharing

General

Target

832c978576aca4163e3c3127e622316794836b1e634b4128797fc9493ff57105
Size

3.2MB
Sample

241230-a22hvaskcj
MD5

a385e16864e1ac30f23dd08e87b93319
SHA1

987c3448486e401936e928abc52cf80780fb2d37
SHA256

832c978576aca4163e3c3127e622316794836b1e634b4128797fc9493ff57105
SHA512

e2099df125c1ca9dfbaddd6ec89dadf94fcce7dd8c298958a53a8b0d0e52d91c0b26f8d1746ec72d5527594d678ec19c29f4849994d268fbdb6200a5c13c7699
SSDEEP

49152:tgviI22SsaNYfdPBldt698dBcjHq1SQoGv5lpTHHB72eh2NTf:mvv22SsaNYfdPBldt6+dBcjHq19x8

Score

10^/10

quasar office04 discovery evasion persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

193.161.193.99:43242

Mutex

45bfb701-bea2-411a-948d-9a6abe001f83

Attributes

encryption_key
80594967BC0A4839C316A44D62DE36E9BF18177F
install_name
SYSTEM26.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  832c978576aca4163e3c3127e622316794836b1e634b4128797fc9493ff57105
- Size
  
  3.2MB
- MD5
  
  a385e16864e1ac30f23dd08e87b93319
- SHA1
  
  987c3448486e401936e928abc52cf80780fb2d37
- SHA256
  
  832c978576aca4163e3c3127e622316794836b1e634b4128797fc9493ff57105
- SHA512
  
  e2099df125c1ca9dfbaddd6ec89dadf94fcce7dd8c298958a53a8b0d0e52d91c0b26f8d1746ec72d5527594d678ec19c29f4849994d268fbdb6200a5c13c7699
- SSDEEP
  
  49152:tgviI22SsaNYfdPBldt698dBcjHq1SQoGv5lpTHHB72eh2NTf:mvv22SsaNYfdPBldt6+dBcjHq19x8
Score

10^/10

quasar office04 discovery evasion persistence spyware trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoveryevasionpersistencespywaretrojan

behavioral2

quasaroffice04discoveryevasionpersistencespywaretrojan