quasar | 30e4bb6f6d78d8d66e9df4b8c856cc2877096c6851be7c167ed23dff72add67e | Triage

Sharing

General

Target

JaffaCakes118_5ba44ef6e4794a232ab680c01289ab13
Size

3.0MB
Sample

250107-lp2hvsxmcp
MD5

5ba44ef6e4794a232ab680c01289ab13
SHA1

cbba30dd455680e31ecd27567e71f4d8459c9d1e
SHA256

30e4bb6f6d78d8d66e9df4b8c856cc2877096c6851be7c167ed23dff72add67e
SHA512

9968179e34f56e7b6b8c5b1618c0ce487a99228b0eb66aa48570fb0c5f3d6aa05b13038cfc4e4ce2815a153ab055d0070a1d0accb77935fe80a98db404d1efd5
SSDEEP

49152:GJdbxFJNoyWQCrm1KKCYCBPCMtIDWk+oowRXN9CJTvAWd3OulJ/:yFTtWQT1vCYC8Wk+6FDDu3/

Score

10^/10

quasar rotaz discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

ROTAZ

C2

johnnycoukiedough-32583.portmap.host:31049

Mutex

3beba8ff-20e4-4900-b227-66c42193224d

Attributes

encryption_key
EF6D608E6D632DE3BE9AEFD87041D26415D93D65
install_name
Office365.exe
log_directory
Versions
reconnect_delay
3000
startup_key
StartupAssistant
subdirectory
Microsoft-Office365

Targets

- Target
  
  JaffaCakes118_5ba44ef6e4794a232ab680c01289ab13
- Size
  
  3.0MB
- MD5
  
  5ba44ef6e4794a232ab680c01289ab13
- SHA1
  
  cbba30dd455680e31ecd27567e71f4d8459c9d1e
- SHA256
  
  30e4bb6f6d78d8d66e9df4b8c856cc2877096c6851be7c167ed23dff72add67e
- SHA512
  
  9968179e34f56e7b6b8c5b1618c0ce487a99228b0eb66aa48570fb0c5f3d6aa05b13038cfc4e4ce2815a153ab055d0070a1d0accb77935fe80a98db404d1efd5
- SSDEEP
  
  49152:GJdbxFJNoyWQCrm1KKCYCBPCMtIDWk+oowRXN9CJTvAWd3OulJ/:yFTtWQT1vCYC8Wk+6FDDu3/
Score

10^/10

quasar rotaz discovery execution persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarrotazdiscoveryexecutionpersistencespywaretrojan