#quasar_090124

1. #IOC #OptiData #VR #Quasar #RAT #NET #RAR #PWD #PS
2.  
3. https://pastebin.com/EnDmzkhL
4.  
5. previous_contact:
6. n/a
7.  
8. FAQ:
9. https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
10.  
11. attack_vector
12. --------------
13. email attach .zip > .rar1 > .rar2 (multi) PWD > .exe1 > cmd > powershell > get exe2 > AppData\Roaming\DVG8873\Update.exe
14.  
15. # # # # # # # #
16. email_headers
17. # # # # # # # #
18. n/a
19.  
20. # # # # # # # #
21. files
22. # # # # # # # #
23. SHA-256 727c60799e6583faf533baa5aa19219e694cf4c6e87ccd3343df784652b15ac3
24. File name Запит.zip [ Zip archive data, at least v1.0 to extract, compression method=store ]
25. File size 149.11 KB (152688 bytes)
26.  
27. SHA-256 c304ffc2f06103d4b60c0ec37a0912f0cefb6ba60273d456d94bb4f6453fa68e
28. File name Запит.rar [ RAR archive data, v5 ]
29. File size 148.72 KB (152292 bytes)
30.  
31. SHA-256 c5fe2158ba8a017a7548e13c90ffb8e3e6ff0f477094f5f5edc1ebf1de85adab
32. File name Електронний запит.part1.rar [ RAR archive data, v5 ] part, PWD
33. File size 53.00 KB (54272 bytes)
34.  
35. SHA-256 b07d36986470cd09256ecba5c11bc16b083776cf61480d9beedc7f0d959b3b23
36. File name Електронний запит.part2.rar [ RAR archive data, v5 ] part, PWD
37. File size 53.00 KB (54272 bytes)
38.  
39. SHA-256 e3522b418b77fee951e14e559be564d148d1c8ab905dbeee5d03c628368fe2b0
40. File name Електронний запит.part3.rar [ RAR archive data, v5 ] part, PWD
41. File size 42.01 KB (43022 bytes)
42.  
43. SHA-256 76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950
44. File name Електронний запит.EXE
45. File size 204.50 KB (209408 bytes) [ PE32+ executable (GUI) x86-64 ] Loader
46.  
47. SHA-256 e8af36287e2270581fd5f2d28c6e0b83b337f58d430554d28dbf55d2ca09fcca
48. File name gbquas.exe Update.exe [ PE32 executable (GUI) Intel 80386 Mono/.Net assembly ] Quasar
49. File size 18.02 MB (18899968 bytes)
50.  
51. # # # # # # # #
52. activity
53. # # # # # # # #
54.  
55. PL_SCR bitbucket_org /yener3 /yener3 /downloads /gbquas.exe
56.  
57. C2 77_105_132_124 : 4899
58. 77_105_132_124 : 2525
59. 77_105_132_70 : 2525
60. 77_105_132_70 : 4899
61.  
62.  
63. netwrk
64. --------------
65. 104_192_141_1 bitbucket.org 443 TLSv1.2 Client Hello
66. 3_5_27_150 bbuseruploads.s3.amazonaws.com 443 TLSv1.2 Client Hello
67. 77_105_132_124 4899 TLSv1.2 Client Hello
68. 77_105_132_124 2525 TLSv1.2 Client Hello
69. 77_105_132_70 2525 TLSv1.2 Client Hello
70. 77_105_132_70 4899 TLSv1.2 Client Hello
71.  
72. comp
73. --------------
74. powershell.exe TCP 104_192_141_1 443 ESTABLISHED
75. powershell.exe TCP 3_5_27_150 443 ESTABLISHED
76. Update.exe TCP 77_105_132_124 2525 FIN_WAIT2
77. Update.exe TCP 77_105_132_70 4899 FIN_WAIT2
78. [System] TCP 77_105_132_124 2525 TIME_WAIT
79.  
80. proc
81. --------------
82. C:\Users\operator\Desktop\Електронний запит.EXE
83. C:\Windows\system32\cmd.exe /c sws.bat && test2.exe
84. C:\Windows\system32\cmd.exe /S /D /c" echo f "
85. C:\Windows\system32\xcopy.exe /s test2.bat "C:\TEMP\persistent2\test2.bat"
86. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBE ....
87. C:\Windows\system32\reg.exe add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
88. C:\Windows\system32\reg.exe add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
89. C:\Windows\system32\reg.exe delete HKCU\Software\Classes\.omg\ /f
90. C:\Windows\system32\reg.exe delete HKCU\Software\Classes\ms-settings\ /f
91. C:\Users\operator\AppData\Roaming\gbquas.exe
92. C:\Users\operator\AppData\Roaming\gbquas.exe
93. C:\Users\operator\AppData\Roaming\DVG8873\Update.exe
94. C:\Users\operator\AppData\Roaming\DVG8873\Update.exe
95. C:\TEMP\IXP000.TMP\test2.exe
96. C:\Windows\system32\cmd.exe /c "test2.bat"
97. C:\Windows\system32\net.exe session
98. C:\Windows\system32\net1.exe session
99.  
100. persist
101. --------------
102. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.01.2024 12:59
103. Update PDF Reader for Windows 10 Setup PDFLogic Corporation
104. c:\users\operator\appdata\roaming\dvg8873\update.exe 08.01.2024 16:31
105.  
106. drop
107. --------------
108. C:\Users\operator\AppData\Roaming\gbquas.exe
109. %temp%\IXP000.TMP\test2.exe
110. %temp%\\IXP001.TMP\test2.bat
111. %temp%\\IXP000.TMP\sws.bat
112.  
113. # # # # # # # #
114. additional info
115. # # # # # # # #
116. version 1.4.1
117. subdirectory DVG8873
118. install name Update.exe
119. mutex 4f6b11a0-3dfc-4b48-b2dc-1f9ff07a13ad
120. startup key Update
121.  
122. # # # # # # # #
123. VT & Intezer
124. # # # # # # # #
125. https://www.virustotal.com/gui/file/727c60799e6583faf533baa5aa19219e694cf4c6e87ccd3343df784652b15ac3/details
126. https://www.virustotal.com/gui/file/c304ffc2f06103d4b60c0ec37a0912f0cefb6ba60273d456d94bb4f6453fa68e/details
127. https://www.virustotal.com/gui/file/c5fe2158ba8a017a7548e13c90ffb8e3e6ff0f477094f5f5edc1ebf1de85adab/details
128. https://www.virustotal.com/gui/file/b07d36986470cd09256ecba5c11bc16b083776cf61480d9beedc7f0d959b3b23/details
129. https://www.virustotal.com/gui/file/e3522b418b77fee951e14e559be564d148d1c8ab905dbeee5d03c628368fe2b0/details
130. https://www.virustotal.com/gui/file/76fb1494f160bb15a94de3401187fa0f4e64c1cff9a4dad27f0b24a8c8786950/details
131. https://analyze.intezer.com/analyses/09ce9fa3-48cd-4bef-8de9-736e869e1949/iocs
132. https://www.virustotal.com/gui/file/e8af36287e2270581fd5f2d28c6e0b83b337f58d430554d28dbf55d2ca09fcca/details
133. https://www.unpac.me/results/3e4970c1-3423-49b4-b128-b0a6358bc9bf
134.  
135. VR