Overview

overview

10

Static

static

3

2b85704b2d...88.exe

windows7-x64

10

2b85704b2d...88.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe

  • Size

    10.7MB

  • Sample

    250120-cl9kmawqfk

  • MD5

    436052b37a3752148c885667e34dd9c3

  • SHA1

    59dbc9e97fb1c74ae666bc87e9ab2f453f780006

  • SHA256

    2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88

  • SHA512

    c6ef01300bb1350d64e5a4d5f48a1c013f8638ac9240820d2d27e951b0ca4b105ff2ee66a07bb3954178c7df8435dbfb561b7a7112f8f3ec79e63cedb7f4d784

  • SSDEEP

    196608:QPW6IG7f1KCArQWGRhoDyp7t1OCf80nXIQPfMEftec7HsrEha1:w37d6T+97t1OCf80XIxQec7O

Score
10/10
quasarsvchost 2svchost 3discoverypyinstallerspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost 2

C2

41.216.183.179:3742

Mutex

d018acac-011d-4ca3-b0c3-4fdd7ec2d6d1

Attributes
  • encryption_key

    0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7

  • install_name

    Host Process for Windows Tasks.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Host Process for Windows Tasks

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost 3

C2

41.216.183.179:3742

Mutex

11b8b70b-ab15-4aab-8132-3e7b18b2b48b

Attributes
  • encryption_key

    0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7

  • install_name

    startui.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    startui

  • subdirectory

    SubDir

Targets

    • Target

      2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe

    • Size

      10.7MB

    • MD5

      436052b37a3752148c885667e34dd9c3

    • SHA1

      59dbc9e97fb1c74ae666bc87e9ab2f453f780006

    • SHA256

      2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88

    • SHA512

      c6ef01300bb1350d64e5a4d5f48a1c013f8638ac9240820d2d27e951b0ca4b105ff2ee66a07bb3954178c7df8435dbfb561b7a7112f8f3ec79e63cedb7f4d784

    • SSDEEP

      196608:QPW6IG7f1KCArQWGRhoDyp7t1OCf80nXIQPfMEftec7HsrEha1:w37d6T+97t1OCf80XIxQec7O

    Score
    10/10
    quasarsvchost 2svchost 3discoverypyinstallerspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks