quasar | 98c526cb9e01d027f0f6518bab44bc4ff3e0427b325c125e543203944af66c2c | Triage

Sharing

General

Target

Client-built.exe
Size

3.1MB
Sample

250219-lpbbnsylfl
MD5

335df6f21f0dce9adba38b5a37e4f76b
SHA1

426f7981d28996e982de397654cf8b800a02a50b
SHA256

98c526cb9e01d027f0f6518bab44bc4ff3e0427b325c125e543203944af66c2c
SHA512

8bcfced2ab9b90129f24c49fa6dcfef40bdb12fab6234be6bee937b11f92e5c74ca2acbe72d5ed6136955e1e08b585ad1bf9b2b5c4e945b213a4579e17e29032
SSDEEP

49152:XvIt62XlaSFNWPjljiFa2RoUYInzY8EsoGKdTHHB72eh2NT:XvE62XlaSFNWPjljiFXRoUYIzY8l

Score

10^/10

quasar xenorat watafak defense_evasion discovery persistence rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

watafak

C2

192.168.2.52:4844

Mutex

a97f1439-52b0-4369-9319-a29ab104cc82

Attributes

encryption_key
15F7B7E72381E729EFE3F3EC04B9B82B2C52ECB9
install_name
watakfak.exe
log_directory
Logs
reconnect_delay
3000
startup_key
.
subdirectory
.23

Extracted

Family

xenorat

C2

192.168.2.52

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4844
startup_name
nothingset

Targets

- Target
  
  Client-built.exe
- Size
  
  3.1MB
- MD5
  
  335df6f21f0dce9adba38b5a37e4f76b
- SHA1
  
  426f7981d28996e982de397654cf8b800a02a50b
- SHA256
  
  98c526cb9e01d027f0f6518bab44bc4ff3e0427b325c125e543203944af66c2c
- SHA512
  
  8bcfced2ab9b90129f24c49fa6dcfef40bdb12fab6234be6bee937b11f92e5c74ca2acbe72d5ed6136955e1e08b585ad1bf9b2b5c4e945b213a4579e17e29032
- SSDEEP
  
  49152:XvIt62XlaSFNWPjljiFa2RoUYInzY8EsoGKdTHHB72eh2NT:XvE62XlaSFNWPjljiFXRoUYIzY8l
Score

10^/10

quasar xenorat watafak defense_evasion discovery persistence rat spyware trojan
- Detect XenoRat Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarxenoratwatafakdefense_evasiondiscoverypersistenceratspywaretrojan