Overview

overview

10

Static

static

10

Quasar v1....e.html

windows7-x64

3

Quasar v1....e.html

windows10-2004-x64

8

Quasar v1....to.dll

windows7-x64

1

Quasar v1....to.dll

windows10-2004-x64

1

Quasar v1....ok.dll

windows7-x64

1

Quasar v1....ok.dll

windows10-2004-x64

1

Quasar v1....db.dll

windows7-x64

1

Quasar v1....db.dll

windows10-2004-x64

8

Quasar v1....db.dll

windows7-x64

1

Quasar v1....db.dll

windows10-2004-x64

8

Quasar v1....ks.dll

windows7-x64

3

Quasar v1....ks.dll

windows10-2004-x64

8

Quasar v1....il.dll

windows7-x64

4

Quasar v1....il.dll

windows10-2004-x64

8

Quasar v1....at.dll

windows7-x64

1

Quasar v1....at.dll

windows10-2004-x64

8

Quasar v1....on.dll

windows7-x64

1

Quasar v1....on.dll

windows10-2004-x64

8

Quasar v1....ar.exe

windows7-x64

10

Quasar v1....ar.exe

windows10-2004-x64

10

Quasar v1....ib.dll

windows7-x64

1

Quasar v1....ib.dll

windows10-2004-x64

3

Quasar v1....nt.exe

windows7-x64

10

Quasar v1....nt.exe

windows10-2004-x64

10

Quasar v1....et.dll

windows7-x64

1

Quasar v1....et.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quasar.v1.4.1.zip

  • Size

    3.3MB

  • Sample

    250210-x3kytatlgs

  • MD5

    13aa4bf4f5ed1ac503c69470b1ede5c1

  • SHA1

    c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

  • SHA256

    4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

  • SHA512

    767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

  • SSDEEP

    49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score
10/10
quasaradwarediscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Targets

    • Target

      Quasar v1.4.1/3rdPartyLicenses/BouncyCastle_license.html

    • Size

      1KB

    • MD5

      bf8d5a737e70dd3493a475b8672f14df

    • SHA1

      01d35be1b65293f7ca43ee1045424599923ab54a

    • SHA256

      6b73c0a42d138d1f05b527c7b936e79af9f44a55d52e35f912da15c0dea43d30

    • SHA512

      ecc23ef88b80944ed135233118db167bf5dc161b0392af25ae846010f9993673bbdb62f88bf6de24dc060a48a0cfe96be261d30f5dac2705ed0f01d987fe24b8

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral1behavioral2

    • Target

      Quasar v1.4.1/BouncyCastle.Crypto.dll

    • Size

      3.2MB

    • MD5

      0cf454b6ed4d9e46bc40306421e4b800

    • SHA1

      9611aa929d35cbd86b87e40b628f60d5177d2411

    • SHA256

      e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

    • SHA512

      85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

    • SSDEEP

      49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY

    Score
    1/10
    behavioral3behavioral4

    • Target

      Quasar v1.4.1/Gma.System.MouseKeyHook.dll

    • Size

      56KB

    • MD5

      bfb3bd1cb571360435100bfa6ed2b997

    • SHA1

      1325e8dd76180a165117e04da4ee4a020e996880

    • SHA256

      a67a424013544c8270c12633e2e1e287cd5cf0b3f2e81e8d8204b37a03da59ef

    • SHA512

      ae5a88a9e86b9e64b8c289213f814586dfa5fe5e0cc21bdbc3e48c36d81fa9e763c6e78f24e40df07696228270ad72f408846125e61e33cae867ef8ff88a3c15

    • SSDEEP

      768:qYnDJGdu2oE3d7ltSl+Y8sCcm8Doi/L0CPw87qquEZ+r3FhuiFJ8G:VncoU48/AzPwYpNZ6rXJ8G

    Score
    1/10
    behavioral5behavioral6

    • Target

      Quasar v1.4.1/Mono.Cecil.Mdb.dll

    • Size

      42KB

    • MD5

      1c6aca0f1b1fa1661fc1e43c79334f7c

    • SHA1

      ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d

    • SHA256

      411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b

    • SHA512

      1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76

    • SSDEEP

      768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral7behavioral8

    • Target

      Quasar v1.4.1/Mono.Cecil.Pdb.dll

    • Size

      87KB

    • MD5

      6d5eb860c2be5dbeb470e7d3f3e7dda4

    • SHA1

      80c76660b87c52127b1a7da48e27700f75362041

    • SHA256

      447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4

    • SHA512

      64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5

    • SSDEEP

      1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral10behavioral9

    • Target

      Quasar v1.4.1/Mono.Cecil.Rocks.dll

    • Size

      27KB

    • MD5

      6e7f0f4fff6c49e3f66127c23b7f1a53

    • SHA1

      14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a

    • SHA256

      2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e

    • SHA512

      0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e

    • SSDEEP

      384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral11behavioral12

    • Target

      Quasar v1.4.1/Mono.Cecil.dll

    • Size

      350KB

    • MD5

      de69bb29d6a9dfb615a90df3580d63b1

    • SHA1

      74446b4dcc146ce61e5216bf7efac186adf7849b

    • SHA256

      f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

    • SHA512

      6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

    • SSDEEP

      6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral13behavioral14

    • Target

      Quasar v1.4.1/Open.Nat.dll

    • Size

      68KB

    • MD5

      cc6f6503d29a99f37b73bfd881de8ae0

    • SHA1

      92d3334898dbb718408f1f134fe2914ef666ce46

    • SHA256

      0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5

    • SHA512

      7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f

    • SSDEEP

      768:sF6vHHLFkywkNh5qtHMjkCifoydVXw5FxusiolecziijiSvD+ZGFa4Pw6OdrGHUm:8GmyJNh0tbt3MLQ9W2rG0Ydd

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral15behavioral16

    • Target

      Quasar v1.4.1/Quasar.Common.dll

    • Size

      62KB

    • MD5

      2185564051ea2e046d9f711ed3cd93ff

    • SHA1

      2f2d7fd470da6d126582ad80df2802aabd6c9cea

    • SHA256

      de930a748e4dc08c851ba0a22afce8dcfd0f15f23b291f9306c8ef6ccd7460a2

    • SHA512

      00af241c1f89b478e66d758db26ed0a413b690d695abf91211b5cbc3985133632327ea0fc41140bd61d02271b6aa278a8e8f539d8ca6ce94972aef50c1a9c868

    • SSDEEP

      768:hiF6Vg9HIxFMu9brfp0kUEb9k/pUHRfp0YDpb4rILMgYY44YYXINk6I+QyIFLwSu:h9Nc7firfS0kE5Ia8I4Z

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral17behavioral18

    • Target

      Quasar v1.4.1/Quasar.exe

    • Size

      1.2MB

    • MD5

      12ebf922aa80d13f8887e4c8c5e7be83

    • SHA1

      7f87a80513e13efd45175e8f2511c2cd17ff51e8

    • SHA256

      43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

    • SHA512

      fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

    • SSDEEP

      12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA

    Score
    10/10
    quasarspywaretrojandiscovery

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Downloads MZ/PE file

    behavioral19behavioral20

    • Target

      Quasar v1.4.1/Vestris.ResourceLib.dll

    • Size

      76KB

    • MD5

      944ce5123c94c66a50376e7b37e3a6a6

    • SHA1

      a1936ac79c987a5ba47ca3d023f740401f73529b

    • SHA256

      7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a

    • SHA512

      4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

    • SSDEEP

      1536:CSSYikTF0Z+sFGu11tIcyI1MtI9eDG3fL7:CJYD0Z9FGu11teI1r9ea3

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      Quasar v1.4.1/client.bin

    • Size

      3.1MB

    • MD5

      f4d16cfe4cad388255e43f258329f805

    • SHA1

      fe7cc6c9eb76b5ad97867b46d053fae601fd4a2d

    • SHA256

      8fb6ae3496d4ac025eab443d3e322b0faa3461d25b54093c9205d35746e3250e

    • SHA512

      867045eac0f7765e6bea51e62bc4ed68b1e81ce6c2843d2e08714eb391a8ac94c2571c09828286252248400ea5c12bffa50a25c8ec5ad9e6d0bb836320ec188f

    • SSDEEP

      49152:4nb7+y2FqZaVmN+PqlhU/mevlL1nYtsCeAcxUuxG2THHB72eh2NT:4nf+y2FqZaVmN+PqlhU//vlL1Yts3Bx

    Score
    10/10
    quasarspywaretrojandiscovery

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Downloads MZ/PE file

    behavioral23behavioral24

    • Target

      Quasar v1.4.1/protobuf-net.dll

    • Size

      282KB

    • MD5

      abc82ae4f579a0bbfa2a93db1486eb38

    • SHA1

      faa645b92e3de7037c23e99dd2101ef3da5756e5

    • SHA256

      ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6

    • SHA512

      e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3

    • SSDEEP

      3072:yRAISQ1tRSVB3zpKTEPn6Rc0qus/6GMzzeSXLifsE2s58IB7aoqng5YnDBzs39AH:yRFD1niy6n6KwhO5mIYpnNzgGD0u

    Score
    8/10
    adwarediscoverypersistenceprivilege_escalationstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral25behavioral26

MITRE ATT&CK Enterprise v15

Tasks

static1

quasar
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
8/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

discovery
Score
8/10

behavioral9

Score
1/10

behavioral10

discovery
Score
8/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
8/10

behavioral13

Score
4/10

behavioral14

discovery
Score
8/10

behavioral15

Score
1/10

behavioral16

discovery
Score
8/10

behavioral17

Score
1/10

behavioral18

discovery
Score
8/10

behavioral19

quasarspywaretrojan
Score
10/10

behavioral20

quasardiscoveryspywaretrojan
Score
10/10

behavioral21

Score
1/10

behavioral22

discovery
Score
3/10

behavioral23

quasarspywaretrojan
Score
10/10

behavioral24

quasardiscoveryspywaretrojan
Score
10/10

behavioral25

Score
1/10

behavioral26

adwarediscoverypersistenceprivilege_escalationstealer
Score
8/10