Overview

overview

10

Static

static

3

SolaraBoot...er.exe

windows10-2004-x64

10

Resubmissions

07-07-2024 13:42

240707-qzq74awbkh 10

07-07-2024 13:41

240707-qy9caatblp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SolaraBootstrapper.exe

  • Size

    4.7MB

  • Sample

    240707-qy9caatblp

  • MD5

    8e188560eca9ec36adb33425dd5ded3a

  • SHA1

    8ff3c27b9d50e0eda7a7df3a94ecd701f4632c4d

  • SHA256

    f7f233269f149d89c2178a456e9d858c366d41b525a7655a5c6633bc27914e1f

  • SHA512

    da2d41f5a960b82dd5281932eedbd2df941df1a5a7a5dbbb7a0621bb483a3366932b5b9d4b7d64ce21eb8e8a492338a48ca9ee57781d38c3427e5a31f5a68ee2

  • SSDEEP

    49152:fdKiv3rs1xLqz9kD7XH3iXQ7JY89kWfKn1KO+zW5GbClxAT8b7ZwQI7y:fUfx+zCniXQ71kWfKn1RBNfg7y

Score
10/10
quasaroffice04spywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

ships-resistance.gl.at.ply.gg:53758

Mutex

90dce01d-0491-44c9-ba30-2abd7f7ec13a

Attributes
  • encryption_key

    FBC87452408857575CDBB63E221DC85973427C45

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Targets

    • Target

      SolaraBootstrapper.exe

    • Size

      4.7MB

    • MD5

      8e188560eca9ec36adb33425dd5ded3a

    • SHA1

      8ff3c27b9d50e0eda7a7df3a94ecd701f4632c4d

    • SHA256

      f7f233269f149d89c2178a456e9d858c366d41b525a7655a5c6633bc27914e1f

    • SHA512

      da2d41f5a960b82dd5281932eedbd2df941df1a5a7a5dbbb7a0621bb483a3366932b5b9d4b7d64ce21eb8e8a492338a48ca9ee57781d38c3427e5a31f5a68ee2

    • SSDEEP

      49152:fdKiv3rs1xLqz9kD7XH3iXQ7JY89kWfKn1KO+zW5GbClxAT8b7ZwQI7y:fUfx+zCniXQ71kWfKn1RBNfg7y

    Score
    10/10
    quasaroffice04spywarestealertrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks