quasar | e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758 | Triage

Sharing

General

Target

e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
Size

637KB
Sample

241231-1p3s9a1lby
MD5

f1c3e7d4f2ea34ded96047cc76392340
SHA1

60683db56a96afe8ef1557c10fb861ae1081097b
SHA256

e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758
SHA512

9d8cf3b1bc0bb153a364618f0e1038a87549ce9d3c89ae4fd65c24737cb1a07f31a8618fdbb7d66ef9f2e410e3616593f7ba2e2ec4fa1325b8f86147956d4e47
SSDEEP

12288:PFUNDaJTEgdfYe/iKg3qFE4/ywNFpdrdwzTCcdjv:PFOaKUwC5F9ywNFpdJ7cdjv

Score

10^/10

quasar office04 discovery evasion persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Java Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Targets

- Target
  
  e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
- Size
  
  637KB
- MD5
  
  f1c3e7d4f2ea34ded96047cc76392340
- SHA1
  
  60683db56a96afe8ef1557c10fb861ae1081097b
- SHA256
  
  e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758
- SHA512
  
  9d8cf3b1bc0bb153a364618f0e1038a87549ce9d3c89ae4fd65c24737cb1a07f31a8618fdbb7d66ef9f2e410e3616593f7ba2e2ec4fa1325b8f86147956d4e47
- SSDEEP
  
  12288:PFUNDaJTEgdfYe/iKg3qFE4/ywNFpdrdwzTCcdjv:PFOaKUwC5F9ywNFpdJ7cdjv
Score

10^/10

quasar office04 discovery evasion persistence spyware trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoveryevasionpersistencespywaretrojan

behavioral2

quasaroffice04discoveryevasionpersistencespywaretrojan