quasar | 89fbe8fb43f3984f60bfedeae4cace3b4789351ab26ebbfba4c86a2b846ef2e9 | Triage

Submit
Reports

Overview

overview

Static

static

cwel.exe

windows10-2004-x64

Sharing

General

Target

cwel.exe
Size

3.1MB
Sample

240629-w1czrawcrp
MD5

f57c5f27d07315ed82dbb08b6e652c11
SHA1

0c2411ec67b8f5457a36615f452091fa9fde834a
SHA256

89fbe8fb43f3984f60bfedeae4cace3b4789351ab26ebbfba4c86a2b846ef2e9
SHA512

a776ff65e4091531aa40534b0ab048be3552c45c1b7e684bcf8cbbd3c25df48e1c62ae50c91027db9a7e54dc9d87c084467f8feb84054ddeac18edb72bea2282
SSDEEP

49152:DvLlL26AaNeWgPhlmVqvMQ7XSKXtmbmzJxoGdrXBLTHHB72eh2NT:DvxL26AaNeWgPhlmVqkQ7XSKXtmM

Score

10^/10

quasar office04 spyware stealer trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

cwel.exe

Resource

win10v2004-20240226-en

quasar office04 spyware stealer trojan

windows10-2004-x64

17 signatures

1200 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

pringelsy-48617.portmap.host:48617

Mutex

47a4883d-5fa4-4ba1-82ac-9e7264eb80ac

Attributes

encryption_key
49AD8030FAA6FACCE440328D691DA1A8FD6FDA5C
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  cwel.exe
- Size
  
  3.1MB
- MD5
  
  f57c5f27d07315ed82dbb08b6e652c11
- SHA1
  
  0c2411ec67b8f5457a36615f452091fa9fde834a
- SHA256
  
  89fbe8fb43f3984f60bfedeae4cace3b4789351ab26ebbfba4c86a2b846ef2e9
- SHA512
  
  a776ff65e4091531aa40534b0ab048be3552c45c1b7e684bcf8cbbd3c25df48e1c62ae50c91027db9a7e54dc9d87c084467f8feb84054ddeac18edb72bea2282
- SSDEEP
  
  49152:DvLlL26AaNeWgPhlmVqvMQ7XSKXtmbmzJxoGdrXBLTHHB72eh2NT:DvxL26AaNeWgPhlmVqkQ7XSKXtmM
Score

10^/10

quasar office04 spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04spywarestealertrojan

© 2018-2024

Terms | Privacy