quasar | ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f | Triage

Submit
Reports

Overview

overview

Static

static

1

msjO.hta

windows7-x64

8

msjO.hta

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

msjO.hta
Size

62KB
Sample

231012-pjwxzaca66
MD5

da5de2b74995076618fe814857073997
SHA1

2891a832f6f327a77b5bf8280c13fce76e35b7fe
SHA256

ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f
SHA512

74e31514a029f9577cf084a0a040f7bc56706f90afd0a079f8e5f56e024b2c2f7f8a6cc8f8a4d9ac70dd07eb4d8b48987a8ad4a784f3d883e484015c63bd595d
SSDEEP

768:8lxvAqQiY1Qgph+3/ziRGrirzlQj3KIbd7RJSAIjK+4mmLFpLgZakmM:8xvAqQiSphvrCj3KIbd7RFxdBpMdmM

Score

10^/10

quasar cashing persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

msjO.hta

Resource

win7-20230831-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

msjO.hta

Resource

win10v2004-20230915-en

quasar cashing persistence spyware stealer trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Cashing

C2

185.17.0.246:1419

Mutex

e32b7ac6-a9bd-4f6a-a9c2-2187fa77e95c

Attributes

encryption_key
CE9D5068446A3372A70ABE8EBD0D7F0CBC814B08
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Targets

- Target
  
  msjO.hta
- Size
  
  62KB
- MD5
  
  da5de2b74995076618fe814857073997
- SHA1
  
  2891a832f6f327a77b5bf8280c13fce76e35b7fe
- SHA256
  
  ae8c4f72c13b4103e0e977bbf2939a4b97860d1c279994d1b0bd27e00cbf8c2f
- SHA512
  
  74e31514a029f9577cf084a0a040f7bc56706f90afd0a079f8e5f56e024b2c2f7f8a6cc8f8a4d9ac70dd07eb4d8b48987a8ad4a784f3d883e484015c63bd595d
- SSDEEP
  
  768:8lxvAqQiY1Qgph+3/ziRGrirzlQj3KIbd7RJSAIjK+4mmLFpLgZakmM:8xvAqQiSphvrCj3KIbd7RFxdBpMdmM
Score

10^/10

persistence quasar cashing spyware stealer trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarcashingpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy