quasar | a22da8d56cf13256c246fe97435059f93a46da71a8bf2eefa3d86383aab03561 | Triage

Sharing

General

Target

Packburpsuite22.rar
Size

208.8MB
Sample

250125-pbkvqssjgw
MD5

75d761317f34545da3785bc2d6af1d1a
SHA1

1c9e2ad42892e84d76ea37db3527f2461b330f4b
SHA256

a22da8d56cf13256c246fe97435059f93a46da71a8bf2eefa3d86383aab03561
SHA512

ed7d89923186c32618973546b3c04b53cc91d7704723638c629abe46c8e4cd96db6f2e75b2bcdfea410ffd32d459e5e53b95a4b5bd264638114e56a0827e8a18
SSDEEP

6291456:23kzLaunKvHkZY4Sq4X5FVdSzc59BuJhA+EWeBUnp:IkabvHuSq4JndmGBEt

Score

10^/10

quasar loomis2 discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

loomis2

C2

jubilesystem.ddnsking.com:4444

Mutex

QSR_MUTEX_ZjSInQJ5D4br5J3Ynw

Attributes

encryption_key
qDIhB2NvMxV9BhEYx5Ic
install_name
shostt.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhostt
subdirectory
SubDir

Targets

- Target
  
  Packburpsuite22.rar
- Size
  
  208.8MB
- MD5
  
  75d761317f34545da3785bc2d6af1d1a
- SHA1
  
  1c9e2ad42892e84d76ea37db3527f2461b330f4b
- SHA256
  
  a22da8d56cf13256c246fe97435059f93a46da71a8bf2eefa3d86383aab03561
- SHA512
  
  ed7d89923186c32618973546b3c04b53cc91d7704723638c629abe46c8e4cd96db6f2e75b2bcdfea410ffd32d459e5e53b95a4b5bd264638114e56a0827e8a18
- SSDEEP
  
  6291456:23kzLaunKvHkZY4Sq4X5FVdSzc59BuJhA+EWeBUnp:IkabvHuSq4JndmGBEt
Score

10^/10

quasar loomis2 discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarloomis2discoverypersistencespywaretrojan