quasar | 43b56573aa46b0a5c526e41ef58f0e902074181622a7b7508fa97c447b8afcc9 | Triage

Submit
Reports

Overview

overview

Static

static

1

SeroXen.rar

windows10-2004-x64

Sharing

General

Target

SeroXen.rar
Size

7.4MB
Sample

240701-t87g8aserl
MD5

3e5e034189b129f8ffd7b6ae57982740
SHA1

a099319659a4852ee87219d15bd04606660a9afa
SHA256

43b56573aa46b0a5c526e41ef58f0e902074181622a7b7508fa97c447b8afcc9
SHA512

578eec54ab0603ba4689590a181510e9aaf04bb3863f6283f19ff241f343ccd9cfbac8d35b7bcb65ece1d76122e0b808f90918ac468e3b4987717bd821c5b258
SSDEEP

196608:zSoEufZDDXsWegc13ygKrA8Uwsqew2k8ASGh/RHrw:zSoZDDXvcwrA8KkLB/hw

Score

10^/10

quasar seroxen discovery execution persistence privilege_escalation spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

SeroXen.rar

Resource

win10v2004-20240508-en

quasar seroxen discovery execution persistence privilege_escalation spyware trojan

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

15.5.0

Botnet

SeroXen

C2

147.185.221.20:49485

Mutex

QSR_MUTEX_rzhQPLl57DqbMvbZp9

Attributes

encryption_key
M2nw0PLpJxuyZQLyQ14p
install_name
Client.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  SeroXen.rar
- Size
  
  7.4MB
- MD5
  
  3e5e034189b129f8ffd7b6ae57982740
- SHA1
  
  a099319659a4852ee87219d15bd04606660a9afa
- SHA256
  
  43b56573aa46b0a5c526e41ef58f0e902074181622a7b7508fa97c447b8afcc9
- SHA512
  
  578eec54ab0603ba4689590a181510e9aaf04bb3863f6283f19ff241f343ccd9cfbac8d35b7bcb65ece1d76122e0b808f90918ac468e3b4987717bd821c5b258
- SSDEEP
  
  196608:zSoEufZDDXsWegc13ygKrA8Uwsqew2k8ASGh/RHrw:zSoZDDXvcwrA8KkLB/hw
Score

10^/10

quasar seroxen discovery execution persistence privilege_escalation spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasarseroxendiscoveryexecutionpersistenceprivilege_escalationspywaretrojan

© 2018-2024

Terms | Privacy