Overview

overview

10

Static

static

3

Solara Executor.exe

windows7-x64

8

Solara Executor.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Solara Executor.zip

  • Size

    23KB

  • Sample

    250203-whqswsznhm

  • MD5

    c56064494703742a97e85f2af29bf497

  • SHA1

    18ffbbe76a4d5324d25d0975f73d9f22402cf708

  • SHA256

    ae6ec274f3ba5cba4adf8fc11019d44e21defbde41a4b85ec1613d5cc42cb3c0

  • SHA512

    96024779acf9faa2d149f9bee94c1812c052b71e270b31fb0ada63b3d9efcf3f39fac5f09cd3fa99acf5fe66204aab1fd8c396a250764acae67aaec285f6fe64

  • SSDEEP

    384:4cGBknvOvHU9Eq3PyuIYIU+rF0Abdv/7X62WaGdTha4YSxjpXtkVuA/R/89s8vk9:45kGvHUparYIU+xzbd+/dVa4YSxjpX2T

Score
10/10
quasarsvhost32discoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svhost32

C2

87.228.57.81:4782

Mutex

47b71fc0-b2c4-4112-b97a-39385a5399c1

Attributes
  • encryption_key

    19A0FAF8459F69650B5965C225752D425C429EEC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost32

  • subdirectory

    SubDir

Targets

    • Target

      Solara Executor.exe

    • Size

      18.7MB

    • MD5

      20f922eb17efc661c32b9af7123cc2e3

    • SHA1

      cc225ff5794975e66fcbd7f6a6a0cf3c780fd488

    • SHA256

      8d7559b7b2641f0eddca0905f3ebd59dbe93ebf5d44603227480fbcbe69ed82c

    • SHA512

      6c332727ff87f432bd7b8f862e6155ff748d687a2da55726c1055f4b655d6ec43a4d3475a7f8be39302efe5905b5a8164bd8113598c1a0af5b85aa47071153fd

    • SSDEEP

      192:8yihNYoCYedOzbD/kyL7F9DKCvzlKHmCYOF6Qb/:8hmoCJdOzbrkyF1RKGCLAk

    Score
    10/10
    discoveryexecutionquasarsvhost32spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks