quasar | 0d6e24e41bad37ce0f0fa2752d7f4e347d2c2b15272d18625ca895be20c61378

Sharing

Copy URL

Twitter E-mail

General

Target

_CRACKED_Paid_Nitro_gen_Tropical_Nitro_Generator_cracked_free_main.zip
Size

8.0MB
Sample

240619-z5jjwasape
MD5

5953eade1718e309ec5233ddb33003b3
SHA1

4ae2cd8e28fd0e454d57238d9b2d930d99b326da
SHA256

0d6e24e41bad37ce0f0fa2752d7f4e347d2c2b15272d18625ca895be20c61378
SHA512

ece5bcbe9d201228d5804d1af71fdf36411770fd14ca45898985577e301827fefa3c255eea23afd747faa27b556cec44ca3f5ce3474661a0c8f9ed1664b9321f
SSDEEP

196608:FTxp4bf0v9plda56mfp8QGaTu+OcYnMC/MDKa1yItyQRI:Tpz1plda5ZB8YifJiEI1RI

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

auroraforge.art:55326

thesirenmika.com:55713

Mutex

90e5b58f-3c4e-4c0d-b7ae-0b38315dc172

Attributes

encryption_key
A730DFF691ED1723ED88E36A2C5E7ED5CCF91DD1
install_name
up2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  -CRACKED-Paid-Nitro-gen-Tropical-Nitro-Generator-cracked-free-main/DiscordNitroGenerator.exe
- Size
  
  22.0MB
- MD5
  
  ca9ebeadf3b9c37fc61ebd08f41f27ba
- SHA1
  
  e5ca52600f0c29b0067304bdba7671c0bbb96f87
- SHA256
  
  9a34c7ab2c8bdc2e296a5de01c2c18da15603dd50bd50d6059c2561fb58aaa55
- SHA512
  
  840ba61739b43b747257cfd6cb633650d6902980db48cccd730050b69f63b0372b99f51fb7e39f8af6db46da5726cf61e7184f1e4db7ddefbc5745927fbfebdc
- SSDEEP
  
  49152:AcVV1BCjB18rclSJjf1od18AmjvworgYBXc62MUiqgNx6UzMInCKXoEp5Yxst+EZ:5
Score

10^/10

quasar xmrig office04 discovery evasion execution miner persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  -CRACKED-Paid-Nitro-gen-Tropical-Nitro-Generator-cracked-free-main/Tropical.py
- Size
  
  3KB
- MD5
  
  9cd32b09f10bb67f4bee9c13c39a81ce
- SHA1
  
  90a193a4139e282f54b4b36f846876ffeef74071
- SHA256
  
  655e38151c09a2bb9cdeb59efa76d8d73baf7aaf424d4e6315022b514ab3c162
- SHA512
  
  04780e75b0db354af8f9ac35d428cc2f7c777f36fbaf6106dbe489baa3b6f3da6ed0f15baf82964bb69fa6d55fec1e2c761b0626cb4ffff1419f782350bba654
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar RAT

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

xmrig

XMRig Miner payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Sets file to hidden

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Adds Run key to start application

Power Settings

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4