quasar | adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890 | Triage

Sharing

General

Target

Loli.bat
Size

7.2MB
Sample

241231-exdnfatqbj
MD5

b052451fc18d2a15c1d83312b55d09a3
SHA1

81ed7f80a894ceaca01153920d3b5e73f593d6a5
SHA256

adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890
SHA512

9102cea466aa291c2df1a4f2d69d4cfe71ef7c7dd048f17719757ed317e80b192337894d59c04fdb95c9c92fc1b0568f2049960ee927bc66d6b421e089a8a659
SSDEEP

49152:zHRDNbQ4h2m6rQA3V8VxkTxV824RWYDQhM84IU6ZGnxb6szVaeB8bOYxs4ztgyUv:F

Score

10^/10

quasar bootkit defense_evasion execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
03816C045CDE13385E227545D99CA4F0BBE6CC9F
reconnect_delay
3000

Targets

- Target
  
  Loli.bat
- Size
  
  7.2MB
- MD5
  
  b052451fc18d2a15c1d83312b55d09a3
- SHA1
  
  81ed7f80a894ceaca01153920d3b5e73f593d6a5
- SHA256
  
  adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890
- SHA512
  
  9102cea466aa291c2df1a4f2d69d4cfe71ef7c7dd048f17719757ed317e80b192337894d59c04fdb95c9c92fc1b0568f2049960ee927bc66d6b421e089a8a659
- SSDEEP
  
  49152:zHRDNbQ4h2m6rQA3V8VxkTxV824RWYDQhM84IU6ZGnxb6szVaeB8bOYxs4ztgyUv:F
Score

10^/10

quasar execution spyware trojan bootkit defense_evasion persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarexecutionspywaretrojan

behavioral2

behavioral3

bootkitdefense_evasionexecutionpersistence

behavioral4

executionpersistence

behavioral5

quasardefense_evasionexecutionspywaretrojan