quasar | 1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6 | Triage

Sharing

General

Target

1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
Size

349KB
Sample

250119-svk7dstqgj
MD5

dabfb0447a6890da9fe713ac91062340
SHA1

fd57dd243e2a0ef131433eb433c9f007bed44a90
SHA256

1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6
SHA512

87d156130e4aecb2fc163ebc2784674c11fc0941e794655031b0c4261d2f602665863972989ac55485c097cf475c5f4801ef618cf0fe5cab284411fd708d1066
SSDEEP

6144:UsLqdufVUNDaq5/uqlCWuXecmE4b3eJRB/W:PFUNDa0uqlCWXcmEAeJRBW

Score

10^/10

quasar new world discovery evasion persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

New World

C2

x75tjpwatl2uyunijiq6jwqhlar3j5fkpi5optv7tfreijbpylwnnbqd.onion:8880

Mutex

QSR_MUTEX_d2kuBEHahLdNktTZE5

Attributes

encryption_key
gAMhb8JSxFP4DNFkynoe
install_name
Java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java
subdirectory
Java

Targets

- Target
  
  1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
- Size
  
  349KB
- MD5
  
  dabfb0447a6890da9fe713ac91062340
- SHA1
  
  fd57dd243e2a0ef131433eb433c9f007bed44a90
- SHA256
  
  1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6
- SHA512
  
  87d156130e4aecb2fc163ebc2784674c11fc0941e794655031b0c4261d2f602665863972989ac55485c097cf475c5f4801ef618cf0fe5cab284411fd708d1066
- SSDEEP
  
  6144:UsLqdufVUNDaq5/uqlCWuXecmE4b3eJRB/W:PFUNDa0uqlCWXcmEAeJRBW
Score

10^/10

quasar new world discovery evasion persistence spyware trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarnew worlddiscoveryevasionpersistencespywaretrojan

behavioral2

quasarnew worlddiscoveryevasionpersistencespywaretrojan