quasar | c8277e88b37878917b46d509324a57846d58e285c3e06720a282e7bb34fd9bc0

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

348KB
MD5

46b23e41aeba2bb731b8ae3e22a7e5dc
SHA1

a180b34c6f9cc519d1d3773904c56c3d952ca423
SHA256

c8277e88b37878917b46d509324a57846d58e285c3e06720a282e7bb34fd9bc0
SHA512

9387f05ce259a39be1a194fbb4a89747d4005866bfddfec2a5605437b899563f7bc5c4af2231f8bc76934ecbabc15ea1596c0c5d70a4207390be13cc6d95d176
SSDEEP

6144:+2NHXf500MGQqCgPsccwxdbNNepgFVswka:1d50yzVteGjswka

Score

10^/10

quasar new2 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

new2

asyfguas.con-ip.com:555

Mutex

QSR_MUTEX_ehHHLz4QY25Plj0Xry

Attributes

encryption_key
SF8iuyfrBbCOUe75IKlr
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3888-133-0x00000000008C0000-0x000000000091E000-memory.dmp	family_quasar

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	stub.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3888	stub.exe

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3888-133-0x00000000008C0000-0x000000000091E000-memory.dmp

Filesize
376KB

Download
memory/3888-134-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/3888-135-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/3888-136-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3888-137-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3888-138-0x0000000006420000-0x0000000006432000-memory.dmp

Filesize
72KB

Download
memory/3888-139-0x0000000006840000-0x000000000687C000-memory.dmp

Filesize
240KB

Download
memory/3888-141-0x0000000006BC0000-0x0000000006BCA000-memory.dmp

Filesize
40KB

Download
memory/3888-142-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download