quasar | 021453aad14a59162bbdcc15650f5c7595a8141864b8f41c1154b1ea7d0edad1 | Triage

Submit
Reports

Overview

overview

Static

static

Update.exe

windows10-1703-x64

Update.exe

windows10-2004-x64

Update.exe

windows11-21h2-x64

Sharing

General

Target

Update.exe
Size

413KB
Sample

240707-xctg9swgmk
MD5

8d4ed7f39ea9c8d397d9fe7cde96f96f
SHA1

1c9f7a1004a813aec578529267f13cf59c963dc6
SHA256

021453aad14a59162bbdcc15650f5c7595a8141864b8f41c1154b1ea7d0edad1
SHA512

75f580d2fbfacd287529434f9fda86a9cc237c4c8a328f93abe2e18b531bf138512e07e359f30a5e1a239f15849e560f3fd8fbcb77eb3568d3e73f4b2155a7d9
SSDEEP

6144:ZhmEjkzQT1TVNfUacoN2IAanViSRHxb3DFFu4zccHoY0MKfIR+wt7IWqsGa:r1TVVDfAanViSr2GccHN2I0wFfGa

Score

10^/10

quasar office04 execution spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

Update.exe

Resource

win10-20240404-en

quasar office04 execution spyware trojan

windows10-1703-x64

16 signatures

300 seconds

Behavioral task

behavioral2

Sample

Update.exe

Resource

win10v2004-20240704-en

quasar office04 execution spyware trojan

windows10-2004-x64

17 signatures

300 seconds

Behavioral task

behavioral3

Sample

Update.exe

Resource

win11-20240704-en

quasar office04 execution spyware trojan

windows11-21h2-x64

16 signatures

300 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

C2

ireless-boston.gl.at.ply.gg:41366

Mutex

$Sxr-a4FI5KvPJWMj2Jorq9

Attributes

encryption_key
2n7OoPxwl2unZ7DjPE2s
install_name
systemlogs.exe
log_directory
Logs
reconnect_delay
3000
startup_key
systemlogs
subdirectory
SubDir

Targets

- Target
  
  Update.exe
- Size
  
  413KB
- MD5
  
  8d4ed7f39ea9c8d397d9fe7cde96f96f
- SHA1
  
  1c9f7a1004a813aec578529267f13cf59c963dc6
- SHA256
  
  021453aad14a59162bbdcc15650f5c7595a8141864b8f41c1154b1ea7d0edad1
- SHA512
  
  75f580d2fbfacd287529434f9fda86a9cc237c4c8a328f93abe2e18b531bf138512e07e359f30a5e1a239f15849e560f3fd8fbcb77eb3568d3e73f4b2155a7d9
- SSDEEP
  
  6144:ZhmEjkzQT1TVNfUacoN2IAanViSRHxb3DFFu4zccHoY0MKfIR+wt7IWqsGa:r1TVVDfAanViSr2GccHN2I0wFfGa
Score

10^/10

quasar office04 execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

quasaroffice04executionspywaretrojan

behavioral2

quasaroffice04executionspywaretrojan

behavioral3

quasaroffice04executionspywaretrojan

© 2018-2024

Terms | Privacy