quasar | 6a52f0cf77b3706de713eff3d7e038ff13d5ca7c8fc837f4eee0adac079cf522 | Triage

Sharing

General

Target

FortniteCleaner and Spoofer.bat
Size

11.7MB
Sample

241230-k4gxbstqbm
MD5

2633869ac4a9cb98b01488ac2cb20d72
SHA1

167871fab0a19acaf7ad22144d8fdb5b09959a28
SHA256

6a52f0cf77b3706de713eff3d7e038ff13d5ca7c8fc837f4eee0adac079cf522
SHA512

f4d48d8e672d828c79b65b886c1ca3a423701cd6a8077c0ab78c4d2e60284ed505fc971975beab3e79bd9b9c20f821b52111258642c8bbb4024891a343004543
SSDEEP

49152:z+8TuE0MoXJ8qRdxr47sbd6rBJYqfpbAgpK64KspQPEf+UWONvGFni6xha3DrNG0:k

Score

10^/10

quasar v3.0.6 | zuni defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v3.0.6 | Zuni

C2

infallible-water-17742.pktriot.net:22270

Mutex

35d8168c-a187-4a7a-91c1-0c08c720bf29

Attributes

encryption_key
8D3F0F423E546AEF9412DC2001F9C1DAB11CB7F5
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000

Targets

- Target
  
  FortniteCleaner and Spoofer.bat
- Size
  
  11.7MB
- MD5
  
  2633869ac4a9cb98b01488ac2cb20d72
- SHA1
  
  167871fab0a19acaf7ad22144d8fdb5b09959a28
- SHA256
  
  6a52f0cf77b3706de713eff3d7e038ff13d5ca7c8fc837f4eee0adac079cf522
- SHA512
  
  f4d48d8e672d828c79b65b886c1ca3a423701cd6a8077c0ab78c4d2e60284ed505fc971975beab3e79bd9b9c20f821b52111258642c8bbb4024891a343004543
- SSDEEP
  
  49152:z+8TuE0MoXJ8qRdxr47sbd6rBJYqfpbAgpK64KspQPEf+UWONvGFni6xha3DrNG0:k
Score

10^/10

execution quasar v3.0.6 | zuni defense_evasion spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Window

Impair Defenses

Safe Mode Boot

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarv3.0.6 | zunidefense_evasionexecutionspywaretrojan