quasar | 10b1a61abfb2f91eea0fec8b52e5602c0f8630703a159593d23daf3c76da145f | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

5

efb2d35f2a...27.exe

windows7-x64

efb2d35f2a...27.exe

windows10-2004-x64

Sharing

General

Target

efb2d35f2a187b18fb7fe32eb68dd927.bin
Size

4.9MB
Sample

230130-yljj4ace45
MD5

efb2d35f2a187b18fb7fe32eb68dd927
SHA1

12a73b569e16637e6e783b59d627f44ce0bf26d2
SHA256

10b1a61abfb2f91eea0fec8b52e5602c0f8630703a159593d23daf3c76da145f
SHA512

1f97643fd6990f19c17df867b0d86e3ef14837e09a500f2c4dff6652e81f3e965149e6b50b50f6dee257889c54b990248dd37b0920c1a630eea4cdca06260b34
SSDEEP

98304:p2cPK8sxc2Ml4nALiVRKC4x0UWMqs+QY/c0PjiqBa:QCK3e2Ml6AmVR80MbGjiqBa

Score

10^/10

quasar adobe xd persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

efb2d35f2a187b18fb7fe32eb68dd927.exe

Resource

win7-20221111-en

quasar adobe xd persistence spyware trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

efb2d35f2a187b18fb7fe32eb68dd927.exe

Resource

win10v2004-20220812-en

quasar adobe xd persistence spyware trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Adobe XD

C2

stopman.ooguy.com:1980

craftIP.gize.com:1980

Mutex

NtOcRpqrVzcLWKF9xK

Attributes

encryption_key
PB6sv6yXkRlKJgQI1D4W
install_name
Client.exe
log_directory
mincraft
reconnect_delay
5000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  efb2d35f2a187b18fb7fe32eb68dd927.bin
- Size
  
  4.9MB
- MD5
  
  efb2d35f2a187b18fb7fe32eb68dd927
- SHA1
  
  12a73b569e16637e6e783b59d627f44ce0bf26d2
- SHA256
  
  10b1a61abfb2f91eea0fec8b52e5602c0f8630703a159593d23daf3c76da145f
- SHA512
  
  1f97643fd6990f19c17df867b0d86e3ef14837e09a500f2c4dff6652e81f3e965149e6b50b50f6dee257889c54b990248dd37b0920c1a630eea4cdca06260b34
- SSDEEP
  
  98304:p2cPK8sxc2Ml4nALiVRKC4x0UWMqs+QY/c0PjiqBa:QCK3e2Ml6AmVR80MbGjiqBa
Score

10^/10

quasar adobe xd persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaradobe xdpersistencespywaretrojan

behavioral2

quasaradobe xdpersistencespywaretrojan

© 2018-2025

Terms | Privacy