Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://YouTube.com

windows11-21h2-x64

10

Resubmissions

07-01-2025 15:16

250107-sneq2aykej 10

07-01-2025 14:48

250107-r6y2ysvrdw 10

07-01-2025 14:31

250107-rvyl2swrhr 7

07-01-2025 14:23

250107-rqb79awqcq 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://YouTube.com

  • Sample

    250107-r6y2ysvrdw

Score
10/10
quasarroblox executorcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ROBLOX EXECUTOR

C2

192.168.50.1:4782

10.0.0.113:4782

LETSQOOO-62766.portmap.host:62766

89.10.178.51:4782
Mutex

90faf922-159d-4166-b661-4ba16af8650e

Attributes
  • encryption_key

    FFEE70B90F5EBED6085600C989F1D6D56E2DEC26

  • install_name

    windows 3543.exe

  • log_directory

    roblox executor

  • reconnect_delay

    3000

  • startup_key

    windows background updater

  • subdirectory

    windows updater

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :67F01788D7CA7919B10B5391CFED7417D0E539F4BBEC331ACF11A8C6A00E735F3430B2FA01611D8DAEE5421EC6539BC040B1E5AA2262DB2796BBA9D3F0FC2A89DBDF91E44D486DCA5115E359A735A74953240BFB256BBF9834C9B62E0717D9B7D1D1C2F78C0ABE80458BD4B3B19B368963730753E3041D5BDD8E400A054BCF72E1739415855DE0242E1E4D773C009F2DF6F4C7FF391EA1630FD947D93E22D761A2350D9BE2A4C02E0092AF6E7829134F84C904F288F8ABFEAFAE79228E0911CA24155F4664C77AF371702CF212AEC8D1161450376EE1A9225F4DA99662ACA9C4FE44B592A9C8922BAF1D2771DE101DCADD5C4CA9DE0BB248EC98E9DF27B382B7DE78B326DA1D5A1EB99E5056ADF4B7531F8850E80EFC4F49E626C161C94A692F888A8EA01D83A970F8BAFE14F532C324B40743D5C7B8273C5E9D71632B9CF40716C13D9186916018733B72A2D1F574C5A8972EB4F4541389BB411699F9769BA72CAF423A0596D735C9AE1FC463CB12368D06DA8B79E0B259F186F08F40EB24AF5E0CFD2C4022A3D9EB6E3976D8B2C419850B935EB457811D26E6F4EBC32CAB2501C5695DBC4A3C30FFF8BEB472C9C92C2D03B104B35C59DA7D6A7A79DE92EC0E2EAB17DE1903C5C8D8111E41A182C3A08C3093B311ED032C7C7D0FAAB31014D5B25D8037694CFE084E5AE493050FD5B760505C5AA0B2CF6507AA30294B8A4F86727E7D699598099A4125B04F1E346B0F0AC31535466DBAF4418B91F8E39FBF8471ECD7F44D0BCDEDAA951A46EE8B40C8956A961FBACF45D957674B8FCD58501D7E2250B622E5A34C8E1B7A57D1D97A3B38C0EED9ED1D553A4353AF32A86A728DE3D1B3C467EBB0AF08E9D226BD2EE18B94E278A94FB4154B57FDED63EB045097C103AA1E118EB373B471BA73E4FFA5A1979DE7518C694A0AFE79A42609B7A3E9B4F46827BC09DB7AEB9E953038F0B9C4A7C11BF8B69F8D30F7D02F3B2859DE30D5318425428E1726BF71ECED123C20AEA9F1DE65669A788A1BFC37F5F9AA58AD0A13768211F9156CD80874451AACE2F798D9825C29B2B3FE25565E4EAE487BD81F989AA2EEFFB321DCF450E18B07F3FFA6DCC98196DC0964F0BC05F04430CA562EFCEFE4E3EE1A5EC8B38EA598F009CE47BCF6FCF4803D3995DFC796726AB495AC65072D42A7F5747C31D93438179AF207C5777B465886561EEB60D25F3A40EE5198C63692A4024975EDEBCAF058748854C07C77218B33F79CF79E349A0F9E67CC038C43438752A5B08F78AF8FBC156C679B2257483AF64BD1FD9D21E5FE4D3F2223A0F1ABC6CF3BB3396971B8A9F8FE7B38BED85DD5F2BB876EB5163A1FAA287E3F6847142895AE0F583F864F4CA2B8EA1AD99A137826616F14DEB5A02FC1C331876F810206D3F84F8975C8AFB784C8371216DA2AE694FF3910312730B9CCB3BDF2FA24498A9D5603406D4991CC5CBCF65A3DE221390EA817E7D447FE10E778FC015F806B6FD43704F36067D0F748161D23CE38B15055BD522FA6CC477D096CD9252BD9E7C57CE48850574C44001E7B675CC6D909BD68E73AB5CB5553E23706FA6F30AF742F1611C96BE0D5D4A99A1A8517ADA9E1F2DE0B5E287E96F165124FE43819EC49534DB9B157DB5E08823D43CFCB7E9DE5ADF030E80AE2C55550EE66128BF4CF322C805D1FFF859A177949264A9A5E1D4489CDC599361F6B1A076786ADE61959626E07717D33506D1E76BC7CC838183811FA54D0411D3D99A35C7603E419D5E0A10B71A1384306645A0E25967423BD7C771389D8A976D3BEA963971154D14766F4CB6F45758F89DD24A3AE0B7D25580373E095E8CD0E1AF0A991E1A51B6D81D2753943FE6EB1622CE01E850E8FB7B9DD950BF6430F38564C78496AED82E1C6531BF1F3E3F0873D5AA55583803C3B6195A529A020CBE4AF39ABDDA44FFC7CC234B7FFCC5DC8E3F30B5B572FC7A55874751B303765CC3B0A988D69EACFCE1FABAD64CB8D8044214FC775043E913A67997EDAF642714B3173DD1943FB70C8BC682CE7BD59956CE75ACF82BB747FBF78496885EE489DD3D0DB887C95FBCE74803B81BEC9DA384A6C28A089F4CC577450F05307CC792B035E7BDCAEA9268FFE2D31669AEA272EC6F82529F259EC762CD139471A040345A75B0612D10E8F13BB766B7AC580FC1C9C80F0C7E69AC67FB8339B6DE17885F873795B7B6E7DD3D9055A177DF85BA818020BDD3B5A4B76146A453C48A36E83366173E199709C7DB6F9AFB445BFB3513B94445766D3869643EEAD5206482595E13DB5C7F6217DD7386A598B07FE42EE0DC74091BDF7E3DB2C01FB71A7F04A3BE21C647374D506183BE4B62B299FA6C9DEE8A231

Targets

    • Target

      http://YouTube.com

    Score
    10/10
    quasarroblox executorcredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

4
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks