Overview

overview

10

Static

static

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Resubmissions

27-06-2024 14:00

240627-ra8xaavara 10

27-06-2024 13:31

240627-qswh8stdlh 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader.exe

  • Size

    9.8MB

  • Sample

    240627-ra8xaavara

  • MD5

    bb57e95ad7ac1da6307c62d2e75a7e6d

  • SHA1

    403145af8d0e5260ff0bb9eacac51e9a667214e2

  • SHA256

    e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630

  • SHA512

    12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8

  • SSDEEP

    196608:jNZYch2QFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:Di/Fqyf0gsfNRAK

Score
10/10
blankgrabberquasaroffice04executionpersistenceprivilege_escalationspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes
  • encryption_key

    CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Targets

    • Target

      Loader.exe

    • Size

      9.8MB

    • MD5

      bb57e95ad7ac1da6307c62d2e75a7e6d

    • SHA1

      403145af8d0e5260ff0bb9eacac51e9a667214e2

    • SHA256

      e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630

    • SHA512

      12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8

    • SSDEEP

      196608:jNZYch2QFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:Di/Fqyf0gsfNRAK

    Score
    10/10
    quasaroffice04spywaretrojanupxexecutionpersistenceprivilege_escalationstealer

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks