quasar | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

General

Target

4363463463464363463463463.zip.zip
Size

394KB
Sample

250120-w2bhbasnd1
MD5

22872ef7f39c6c03422b358f867e69b7
SHA1

263dbd53bf3e6766a11e0a0ce896e708be807aa0
SHA256

12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
SHA512

d26020b40e03a1bc7dff4d872c9421e07681e4bb4bbf9172f063be7d81b060686f1091dd2603de30ae600cae250e4a94cd3f2909e88e2e26b796771b8eb6b817
SSDEEP

12288:YGA+VQGlOa26BcdTJw3dzxdY4BAvcTCyY:YGfQGlg64NWv64AETI

Score

10^/10

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

stealc

Botnet

Voov

C2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

C2

193.161.193.99:35184

67.205.154.243:35184

Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes

encryption_key
8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MS Build Tools
subdirectory
Microsoft-Build-Tools

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

85.192.29.60:5173

Mutex

QAPB6w0UbYXMvQdKRF

Attributes

encryption_key
pxC3g4rfVijQxK1hMGwM
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  764KB
- MD5
  
  85e3d4ac5a6ef32fb93764c090ef32b7
- SHA1
  
  adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
- SHA256
  
  4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
- SHA512
  
  a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
- SSDEEP
  
  12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Score

10^/10

quasar stealc xred office test voov backdoor discovery persistence spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1