quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b | Triage

Sharing

General

Target

fud.zip
Size

15.3MB
Sample

250419-szkreszvbv
MD5

16a3d7fe2daaec168522818e8e4352eb
SHA1

cc421ffb059ddde7b99112edf3a98121458726e5
SHA256

bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b
SHA512

5e1f80ea42b5b72a3fc27c3aa1c882d305d68e4d150c7cf21522e25acaaf376b496f57667a6f2ac67031c1708e96414e314e66b88599eaa9f77a1d4b41d7c957
SSDEEP

393216:nSfvN08cA9br0VcaSLRxFijecz53Z5tPjNhRm3ygnrHoiFz:nYN08v9br0VFK6Z5X7mLHoiFz

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

C2

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Targets

- Target
  
  fud.zip
- Size
  
  15.3MB
- MD5
  
  16a3d7fe2daaec168522818e8e4352eb
- SHA1
  
  cc421ffb059ddde7b99112edf3a98121458726e5
- SHA256
  
  bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b
- SHA512
  
  5e1f80ea42b5b72a3fc27c3aa1c882d305d68e4d150c7cf21522e25acaaf376b496f57667a6f2ac67031c1708e96414e314e66b88599eaa9f77a1d4b41d7c957
- SSDEEP
  
  393216:nSfvN08cA9br0VcaSLRxFijecz53Z5tPjNhRm3ygnrHoiFz:nYN08v9br0VFK6Z5X7mLHoiFz
Score

10^/10

quasar execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2 behavioral3
- Target
  
  Installer.exe
- Size
  
  53KB
- MD5
  
  f323bb458ecbd21acdddd5ea770e775f
- SHA1
  
  9b04a6ea2e6efcc81d344f6425928c5700e9a3f6
- SHA256
  
  4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926
- SHA512
  
  ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2
- SSDEEP
  
  768:ZId0rRueeCTXZJa0CMpWBUlNP/hA8OE2fbsE/g0+EFiRs:ZId+KQXZPCiWBU8fAL5eim
Score

10^/10

quasar execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral4 behavioral5 behavioral6
- Target
  
  msys-2.0.dll
- Size
  
  88KB
- MD5
  
  f947218a2b6bc294c22175030824c12b
- SHA1
  
  ba97c647a21d78f4d70135231574a9162998a3bf
- SHA256
  
  940d104b54c78abc2ab4af8d88c0da0083dda6ddf63e92976d96fadcf46d35c4
- SHA512
  
  46cb9b32a5bc07fb55fded5e42bbc8362ba0106d19c4441a639a821cd612867f676017d525d167384c9595b506db2d7a6f2ac8fa2d2c7fe102ede7b6132cd6e5
- SSDEEP
  
  1536:gsssTDMfCgjgibbqJ7tJ2Lr/lWzv0EH80OrxECICtf1eL5eim:hsOo6yOJRJ2X/czv0EH80OrxE9Ctf1eC
Score

10^/10

quasar execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral7 behavioral8 behavioral9
- Target
  
  tmpD01A.dll
- Size
  
  3.5MB
- MD5
  
  1a201cec87e2370a08dc00acc065501a
- SHA1
  
  02ff14bbb59d380cc8e7ffea711d978248bfcb83
- SHA256
  
  709f39277a3393fbdb4349bb19b80e2d976dd8926d6fcbe0e59d699338846016
- SHA512
  
  e80e75a672807dfa1da6002bb02e8024eaadb75f79f22c40c72c82c213d99b3f4dcdeb963a7587c0a5532fa8b6c53e9ac6eb512fc422d654191215e266eef1e1
- SSDEEP
  
  98304:UMoiKk/w5lfGCSlKNS48Rzp3roT91u7MHLzV0ZghXVp2vGmB:8iKk/9CSlKNvq
Score

1^/10
behavioral10 behavioral11 behavioral12
- Target
  
  vcruntime140.dll
- Size
  
  116KB
- MD5
  
  699dd61122d91e80abdfcc396ce0ec10
- SHA1
  
  7b23a6562e78e1d4be2a16fc7044bdcea724855e
- SHA256
  
  f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1
- SHA512
  
  2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff
- SSDEEP
  
  1536:KqvQFDdwFBHKaPX8YKpWgeQqbekRG7MP4ddbsecbWcmpCGa3QFzFtjXzp:KqvQFDUXqWn7CkRG7YecbWb9a3kDX9
Score

1^/10
behavioral13 behavioral14 behavioral15
- Target
  
  winAPI.dll
- Size
  
  36.0MB
- MD5
  
  fb466528aac78a063f4c60882a33ddc9
- SHA1
  
  2af35fa26c27e402e66b7c46d136a4a578f975af
- SHA256
  
  6f157135b2b74872f88863cc5bd1edbe8fbe3532dfb9e1b961afca9bb5c77fd3
- SHA512
  
  0539f5681271f70262288fcc0b7bd89d63c6c8b8f32f96bd43878df531f9997cde314357f541ca49f58363c484cca80a107b450fd37e3e35e75fd90edac71e77
- SSDEEP
  
  393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf8:fMguj8Q4VfvwqFTrYCl
Score

10^/10

quasar execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral16 behavioral17 behavioral18

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarexecutionspywaretrojan

behavioral2

behavioral3

behavioral4

quasarexecutionspywaretrojan

behavioral5

quasarexecutionspywaretrojan

behavioral6

quasarexecutionspywaretrojan

behavioral7

quasarexecutionspywaretrojan

behavioral8

quasarexecutionspywaretrojan

behavioral9

quasarexecutionspywaretrojan

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

quasarexecutionspywaretrojan

behavioral17

quasarexecutionspywaretrojan

behavioral18

quasarexecutionspywaretrojan