quasar | 8d7559b7b2641f0eddca0905f3ebd59dbe93ebf5d44603227480fbcbe69ed82c | Triage

Sharing

General

Target

SolaraExecutor.exe
Size

18.7MB
Sample

250131-gyq19sypbs
MD5

20f922eb17efc661c32b9af7123cc2e3
SHA1

cc225ff5794975e66fcbd7f6a6a0cf3c780fd488
SHA256

8d7559b7b2641f0eddca0905f3ebd59dbe93ebf5d44603227480fbcbe69ed82c
SHA512

6c332727ff87f432bd7b8f862e6155ff748d687a2da55726c1055f4b655d6ec43a4d3475a7f8be39302efe5905b5a8164bd8113598c1a0af5b85aa47071153fd
SSDEEP

192:8yihNYoCYedOzbD/kyL7F9DKCvzlKHmCYOF6Qb/:8hmoCJdOzbrkyF1RKGCLAk

Score

10^/10

quasar svhost32 discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svhost32

C2

87.228.57.81:4782

Mutex

47b71fc0-b2c4-4112-b97a-39385a5399c1

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost32
subdirectory
SubDir

Targets

- Target
  
  SolaraExecutor.exe
- Size
  
  18.7MB
- MD5
  
  20f922eb17efc661c32b9af7123cc2e3
- SHA1
  
  cc225ff5794975e66fcbd7f6a6a0cf3c780fd488
- SHA256
  
  8d7559b7b2641f0eddca0905f3ebd59dbe93ebf5d44603227480fbcbe69ed82c
- SHA512
  
  6c332727ff87f432bd7b8f862e6155ff748d687a2da55726c1055f4b655d6ec43a4d3475a7f8be39302efe5905b5a8164bd8113598c1a0af5b85aa47071153fd
- SSDEEP
  
  192:8yihNYoCYedOzbD/kyL7F9DKCvzlKHmCYOF6Qb/:8hmoCJdOzbrkyF1RKGCLAk
Score

10^/10

discovery execution quasar svhost32 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

quasarsvhost32discoveryexecutionspywaretrojan