quasar | 4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915 | Triage

Submit
Reports

Overview

overview

Static

static

3

4e5e207318...15.exe

windows7-x64

4e5e207318...15.exe

windows10-2004-x64

Sharing

General

Target

4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915.exe
Size

863KB
Sample

240613-vwzsaaxcna
MD5

1ebc16b09f9f1cdf224a0b50333c95ae
SHA1

33c77f6b12a89171f91a212b233a43d4dfd9be71
SHA256

4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915
SHA512

f3dc8cec13b6eef1b2bad396fc7291fc3c026031283a5b30749f4e593fa8954981bb97e9c49f8d27aa146f5e9f55d315b774ce6ae2e2b57c5b5c2a9f4b21cebd
SSDEEP

12288:EgxwPTQBSqsfmrrPccQejxv6LP9V/Z+jqV1JudejYmKD4/h9lDS0SqEVVEbNoi11:VxFeqPNFycCMdeqD4ZDpSfVaCqDnh

Score

10^/10

quasar office04 evasion execution spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915.exe

Resource

win7-20240220-en

quasar office04 evasion execution spyware trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915.exe

Resource

win10v2004-20240508-en

quasar office04 evasion execution spyware trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

38.180.9.93:4782

Mutex

5a8251f0-2689-4ef1-8412-aac562e02a4d

Attributes

encryption_key
C9BC046B617DD0F608706B9640C8D97C327969FB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ent Startup
subdirectory
SubDir

Targets

- Target
  
  4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915.exe
- Size
  
  863KB
- MD5
  
  1ebc16b09f9f1cdf224a0b50333c95ae
- SHA1
  
  33c77f6b12a89171f91a212b233a43d4dfd9be71
- SHA256
  
  4e5e207318513ffd66653a5106a121d2790a98dc25a103c67c3476b142612915
- SHA512
  
  f3dc8cec13b6eef1b2bad396fc7291fc3c026031283a5b30749f4e593fa8954981bb97e9c49f8d27aa146f5e9f55d315b774ce6ae2e2b57c5b5c2a9f4b21cebd
- SSDEEP
  
  12288:EgxwPTQBSqsfmrrPccQejxv6LP9V/Z+jqV1JudejYmKD4/h9lDS0SqEVVEbNoi11:VxFeqPNFycCMdeqD4ZDpSfVaCqDnh
Score

10^/10

quasar office04 evasion execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04evasionexecutionspywaretrojan

behavioral2

quasaroffice04evasionexecutionspywaretrojan

© 2018-2024

Terms | Privacy