Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://streannable....

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://streannable.com/7n3qtp

  • Sample

    241231-yakm1svrhy

Score
10/10
quasarafafafdiscoveryexecutionpersistencephishingprivilege_escalationspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imghippo.com/files/CFqi5277Mc.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imghippo.com/files/mcm7321uo.jpg

Extracted

Family

quasar

Version

1.4.1

Botnet

afafaf

C2

194.26.192.167:2768

Mutex

c1060262-cacc-4b5e-8e09-ac72d84cef52

Attributes
  • encryption_key

    BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055

  • install_name

    OneDrive.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    OneDrive

  • subdirectory

    OneDrive

Targets

    • Target

      https://streannable.com/7n3qtp

    Score
    10/10
    quasarafafafdiscoveryexecutionpersistencephishingprivilege_escalationspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • A potential corporate email address has been identified in the URL: currency-file@1

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks