quasar | 29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9 | Triage

Submit
Reports

Overview

overview

Static

static

13ddb4c563...18.exe

windows7-x64

13ddb4c563...18.exe

windows10-2004-x64

Sharing

General

Target

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118
Size

358KB
Sample

240626-3dmc8szejd
MD5

13ddb4c563aa5d65f2a9822d50e3b92f
SHA1

2e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
SHA256

29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
SHA512

ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
SSDEEP

6144:rJqQ4i1FFiEKhtpoidubrUX5v7N/Vyfs5uI:Fpli3poidD5jN/sfs5uI

Score

10^/10

quasar office04 spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe

Resource

win7-20240419-en

quasar office04 spyware trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe

Resource

win10v2004-20240508-en

quasar office04 spyware trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

almammory.hopto.org:1177

Mutex

QSR_MUTEX_uvFpjg4C7Cxl60AUEGAUEGGMUTEOO

Attributes

encryption_key
WVQm2WP2iovscPfuELDp
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118
- Size
  
  358KB
- MD5
  
  13ddb4c563aa5d65f2a9822d50e3b92f
- SHA1
  
  2e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
- SHA256
  
  29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
- SHA512
  
  ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
- SSDEEP
  
  6144:rJqQ4i1FFiEKhtpoidubrUX5v7N/Vyfs5uI:Fpli3poidD5jN/sfs5uI
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04spywaretrojan

behavioral2

quasaroffice04spywaretrojan

© 2018-2024

Terms | Privacy