quasar | 1929dd29e87cdf1041ef1ae1e0dca8bef9921762585cd5a7ef0544abb08a41e0 | Triage

Sharing

General

Target

TopazVideoAI-6.0.1.exe
Size

722.5MB
Sample

250203-23s2msykdm
MD5

e689a868f6b020b64039ecaffa86bccb
SHA1

126ae77ed31a518e9200604f857ef83f541fcccc
SHA256

1929dd29e87cdf1041ef1ae1e0dca8bef9921762585cd5a7ef0544abb08a41e0
SHA512

2e4f7f2cce998e0918f73e8a8dd406cbf2cd8330322c0be81bcc1ed5c3efe85082af0ca3d95996499e1766e2329e61749195146ca7e26141f3016b3a7b32eecf
SSDEEP

12582912:agg9UZw4+PAPqx9r8dhoK3aVAPq8QX67999UWdrZSuvhRCATf6y5OSOPp7mBck9B:A1AQ9r8dhTqybF5j6ygmB7B

Score

10^/10

quasar archiwizard!!discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ArchiWizard!!

C2

craftsgamer.4cloud.click:1985

Mutex

bdpdZgmumkJHnfQ8Ww

Attributes

encryption_key
Pu2mXe4y4k84ASprLb8F
install_name
Client.exe
log_directory
18HD
reconnect_delay
10000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  TopazVideoAI-6.0.1.exe
- Size
  
  722.5MB
- MD5
  
  e689a868f6b020b64039ecaffa86bccb
- SHA1
  
  126ae77ed31a518e9200604f857ef83f541fcccc
- SHA256
  
  1929dd29e87cdf1041ef1ae1e0dca8bef9921762585cd5a7ef0544abb08a41e0
- SHA512
  
  2e4f7f2cce998e0918f73e8a8dd406cbf2cd8330322c0be81bcc1ed5c3efe85082af0ca3d95996499e1766e2329e61749195146ca7e26141f3016b3a7b32eecf
- SSDEEP
  
  12582912:agg9UZw4+PAPqx9r8dhoK3aVAPq8QX67999UWdrZSuvhRCATf6y5OSOPp7mBck9B:A1AQ9r8dhTqybF5j6ygmB7B
Score

10^/10

quasar archiwizard!!discovery execution persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Power Settings

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasararchiwizard!!discoveryexecutionpersistencespywaretrojan