quasar | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce | Triage

Resubmissions

22/04/2025, 00:37

250422-ayqbeaspz6 10

21/04/2025, 17:05

250421-vmcamatky2 10

Sharing

General

Target

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Size

10KB
Sample

250422-ayqbeaspz6
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

quasar xworm rat1 discovery rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

C2

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Extracted

Family

xworm

C2

147.185.221.27:31149

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

quasar xworm rat1 discovery rat spyware trojan
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarxwormrat1discoveryratspywaretrojan