quasar | 41139316deb7d9a54b18b8c19e9171bda3cb604c3e750f6e85d7ceb1cde0e345 | Triage

Submit
Reports

Overview

overview

Static

static

1

123.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

123.exe
Size

4KB
Sample

230420-z4ejjaec8z
MD5

8518a12eed11929f90e15e3be93e46a0
SHA1

5e36792391b34ba7f1e7d410f5497a1581c9f541
SHA256

41139316deb7d9a54b18b8c19e9171bda3cb604c3e750f6e85d7ceb1cde0e345
SHA512

a16ba972c2c49c96a27acbc1caa2fae2129b16c0cc59b17a69e21909715ca6d82ad6e50ff2f3b690aa30b5e5a0cf10e21dc892428f55f923368fb58438881ed1
SSDEEP

96:xEPd8q5POp1OTqS6Y83w60w0wod3oj0rl:aPuq5POp1OTqpY8BodX

Score

10^/10

quasar user evasion spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

123.exe

Resource

win10v2004-20230221-en

quasar user evasion spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

user

C2

bore.pub:3434

Mutex

dea7d3ac-9cbe-4676-9d9b-fbb7abd72f66

Attributes

encryption_key
750E471A2736E4EC77FD37E3C73FCB548A7C773A
install_name
csrss.exe
log_directory
Logs
reconnect_delay
10
startup_key
Client Server Runtime Process
subdirectory
F2D1CC.tmp

Targets

- Target
  
  123.exe
- Size
  
  4KB
- MD5
  
  8518a12eed11929f90e15e3be93e46a0
- SHA1
  
  5e36792391b34ba7f1e7d410f5497a1581c9f541
- SHA256
  
  41139316deb7d9a54b18b8c19e9171bda3cb604c3e750f6e85d7ceb1cde0e345
- SHA512
  
  a16ba972c2c49c96a27acbc1caa2fae2129b16c0cc59b17a69e21909715ca6d82ad6e50ff2f3b690aa30b5e5a0cf10e21dc892428f55f923368fb58438881ed1
- SSDEEP
  
  96:xEPd8q5POp1OTqS6Y83w60w0wod3oj0rl:aPuq5POp1OTqpY8BodX
Score

10^/10

quasar user evasion spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaruserevasionspywaretrojan

© 2018-2025

Terms | Privacy