quasar | 5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797

General

Target

SeroXenLauncher.bat
Size

409KB
Sample

240702-bbh49atgrp
MD5

54d920888e6066870191f44fe0b27206
SHA1

87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e
SHA256

5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797
SHA512

4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d
SSDEEP

6144:EM7Cp8XlizQNOa/YzLU+RefWtEOag0vQUvb3pOMZ97iJcfaohEt2+4nQQ:4pQl4QR/2LU+RefW7qg27iC+t0nQQ

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

127.0.0.1:4782

browser-julia.gl.at.ply.gg:54488

Mutex

$Sxr-GV6wZsGZZMeZ3qfenc

Attributes

encryption_key
KH74MFPau2OXY0OqPzU8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1257452635888423017/-MpHtN8_KQyb61HJqaai1yrkmHQG75b_w1I_FDSgXUCXHSAsskj1fAM-GezxYcBKnRgl

Targets

- Target
  
  SeroXenLauncher.bat
- Size
  
  409KB
- MD5
  
  54d920888e6066870191f44fe0b27206
- SHA1
  
  87feb8a460dd1dc736fc96fbfbe37bf67aed2c3e
- SHA256
  
  5416eb9ce7028292f5810ab8acec85ab7cd55503bcdf097f3e2ce2a900577797
- SHA512
  
  4b23903103954c5d491eedc1c77fec1fea32552b9b863ada312b75388a9a56d38573851d2f6edaf61444fb0549196b1e9310cb6fa4e1773b9bf65291d5e2f72d
- SSDEEP
  
  6144:EM7Cp8XlizQNOa/YzLU+RefWtEOag0vQUvb3pOMZ97iJcfaohEt2+4nQQ:4pQl4QR/2LU+RefW7qg27iC+t0nQQ
Score

10^/10

quasar umbral seroxen execution spyware stealer trojan
- Detect Umbral payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Umbral payload

Quasar RAT

Quasar payload

Umbral

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2