Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    quasar.exe

  • Size

    3.1MB

  • Sample

    230705-s6dlpadf73

  • MD5

    8b0270a1fe2e8b6d98bd29ce11d18f9c

  • SHA1

    a64f7a329f2e741d6ce6a3dd3a66023e4885f8c7

  • SHA256

    e3c05e377bb3d08792a47d2d04488df5048549e96939a7207c5ef14015d2c329

  • SHA512

    52e7f3ace9b489729fa8a0434dd362f88e5af8ec34c36b8f40f05fa8fcbc8316ec1e578d8cc6ea2ae9a1e7c7b06ace205f354562988b4428f34066f17589d168

  • SSDEEP

    49152:Xv9z92YpaQI6oPZlhP3ReybewoMdRJ6XbR3LoGdasTHHB72eh2NT:XvV92YpaQI6oPZlhP3YybewoMdRJ6pK

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.56.1:4782

93.35.198.71:4782

7.tcp.eu.ngrok.io:14313:25565

Mutex

63eac64e-75b2-49ce-8a2e-3d1114815132

Attributes
  • encryption_key

    4C728E4D527117B7094ADC3922AFF7A3BF47EF70

  • install_name

    WinSysUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    WinSysAnalisis

Targets

    • Target

      quasar.exe

    • Size

      3.1MB

    • MD5

      8b0270a1fe2e8b6d98bd29ce11d18f9c

    • SHA1

      a64f7a329f2e741d6ce6a3dd3a66023e4885f8c7

    • SHA256

      e3c05e377bb3d08792a47d2d04488df5048549e96939a7207c5ef14015d2c329

    • SHA512

      52e7f3ace9b489729fa8a0434dd362f88e5af8ec34c36b8f40f05fa8fcbc8316ec1e578d8cc6ea2ae9a1e7c7b06ace205f354562988b4428f34066f17589d168

    • SSDEEP

      49152:Xv9z92YpaQI6oPZlhP3ReybewoMdRJ6XbR3LoGdasTHHB72eh2NT:XvV92YpaQI6oPZlhP3YybewoMdRJ6pK

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

MITRE ATT&CK Enterprise v6

Tasks