quasar | fbd232bef38a185689126a83412f660670babd5fcd67674c698c3af1d9ccdb12 | Triage

Sharing

General

Target

JaffaCakes118_f7bbf426b790e58d31c112ad57028727
Size

3.0MB
Sample

250111-fqkc3sxqhn
MD5

f7bbf426b790e58d31c112ad57028727
SHA1

c6c6ad699c01445d76a5e72c1890a4c77614e77a
SHA256

fbd232bef38a185689126a83412f660670babd5fcd67674c698c3af1d9ccdb12
SHA512

3f35132aaf069d598b66d3d87122f85beda6762a7c849ef5a3d36fd98ffae6c60367f07ba32217155082e469bdd77b2c6c0dce7fbe268dc6a4381540ba731fea
SSDEEP

49152:mhNG2xCF8FythJYb7T6jNCAaYGzIKuZaonz0XdetFkMKoW4pOXs:EXC6othq7WjNCduZaWnBOX

Score

10^/10

quasar rotaz discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

ROTAZ

C2

johnnycoukiedough-32583.portmap.host:31049

Mutex

3beba8ff-20e4-4900-b227-66c42193224d

Attributes

encryption_key
EF6D608E6D632DE3BE9AEFD87041D26415D93D65
install_name
Office365.exe
log_directory
Versions
reconnect_delay
3000
startup_key
StartupAssistant
subdirectory
Microsoft-Office365

Targets

- Target
  
  JaffaCakes118_f7bbf426b790e58d31c112ad57028727
- Size
  
  3.0MB
- MD5
  
  f7bbf426b790e58d31c112ad57028727
- SHA1
  
  c6c6ad699c01445d76a5e72c1890a4c77614e77a
- SHA256
  
  fbd232bef38a185689126a83412f660670babd5fcd67674c698c3af1d9ccdb12
- SHA512
  
  3f35132aaf069d598b66d3d87122f85beda6762a7c849ef5a3d36fd98ffae6c60367f07ba32217155082e469bdd77b2c6c0dce7fbe268dc6a4381540ba731fea
- SSDEEP
  
  49152:mhNG2xCF8FythJYb7T6jNCAaYGzIKuZaonz0XdetFkMKoW4pOXs:EXC6othq7WjNCduZaWnBOX
Score

10^/10

quasar rotaz discovery execution persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarrotazdiscoveryexecutionpersistencespywaretrojan