quasar | 2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec | Triage

Submit
Reports

Overview

overview

Static

static

3

2a52e8ed89...cs.exe

windows7-x64

2a52e8ed89...cs.exe

windows10-2004-x64

Sharing

General

Target

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe
Size

718KB
Sample

240621-b1jgbaygqm
MD5

20c404f8e7606ae61f77b329d337fbc0
SHA1

e23cd528e4da2cf73bc4b4a4fb6bf9c738f59435
SHA256

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec
SHA512

d183123eb9518a9dfcca72e1a6e4a1368da17ef06e3f1c5f2de6131ed2e6582c895ee10d0dc9e912aeaed89af7f03a9b14dc75414cb19ee40511412803cd7043
SSDEEP

12288:FKrSjGt2H9toA/HZZvMtG6YGP0YO5qvsEhQFJlTzy:FKrS6stP5hGzFO5qUEhQFJk

Score

10^/10

quasar office04 evasion spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe

Resource

win7-20240221-en

quasar office04 evasion spyware trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

quasar office04 spyware trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

hvhkcutuoujbobu672-22209.portmap.host:22209

Mutex

VNM_MUTEX_B9yalilhpjXcfLAYLB

Attributes

encryption_key
1QFI1TWvW55TfLRzQhy0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Targets

- Target
  
  2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec_NeikiAnalytics.exe
- Size
  
  718KB
- MD5
  
  20c404f8e7606ae61f77b329d337fbc0
- SHA1
  
  e23cd528e4da2cf73bc4b4a4fb6bf9c738f59435
- SHA256
  
  2a52e8ed891e08b831ff2b4703c5ccefd48d512c0534de9399684a289a6b95ec
- SHA512
  
  d183123eb9518a9dfcca72e1a6e4a1368da17ef06e3f1c5f2de6131ed2e6582c895ee10d0dc9e912aeaed89af7f03a9b14dc75414cb19ee40511412803cd7043
- SSDEEP
  
  12288:FKrSjGt2H9toA/HZZvMtG6YGP0YO5qvsEhQFJlTzy:FKrS6stP5hGzFO5qUEhQFJk
Score

10^/10

quasar office04 evasion spyware trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04evasionspywaretrojan

behavioral2

quasaroffice04spywaretrojan

© 2018-2024

Terms | Privacy