quasar | 358da4f1aa792a6d5c6ed2d4ff4c1420e6bb0869cb406f2c3db47163313e4d0c | Triage

Submit
Reports

Overview

overview

Static

static

7

CraxsV7.2.zip

windows11-21h2-x64

Resubmissions

19/02/2024, 19:14

240219-xxvaasbc3w 10

19/02/2024, 18:57

240219-xlwnzsba4v 7

Sharing

Copy URL Twitter E-mail

General

Target

CraxsV7.2.zip
Size

491.7MB
Sample

240219-xxvaasbc3w
MD5

bb70ba93d3757f8250a779be1ffa7514
SHA1

2bad7c63b3bf96f495a59bc7c4cd652d97073c73
SHA256

358da4f1aa792a6d5c6ed2d4ff4c1420e6bb0869cb406f2c3db47163313e4d0c
SHA512

b9816167d3a6fd8171eda2d0b68518c55594e5cf605e4d1a8c38269c1a3852b8ecd9fbd3a79bebd8f8ed57ae11756b0b0ed7385e16ea8ddce8d3e1fc526afffa
SSDEEP

12582912:7S+F/sJhIJobjj0PzQgvhFdabG5BiV84Il3uuNu+wjEIXXn:fFNeqbeqFE7EIn

Score

10^/10

quasar java agilenet evasion spyware themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

CraxsV7.2.zip

Resource

win11-20240214-en

quasar java agilenet evasion spyware themida trojan

windows11-21h2-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

C2

129.159.225.178:19345

Mutex

f30083ae-f891-4ba5-9748-d5ee66ca83cb

Attributes

encryption_key
D3AA51BB478427F5ADF9A26B1CDC35FD1757D450
install_name
Java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java
subdirectory
Java

Targets

- Target
  
  CraxsV7.2.zip
- Size
  
  491.7MB
- MD5
  
  bb70ba93d3757f8250a779be1ffa7514
- SHA1
  
  2bad7c63b3bf96f495a59bc7c4cd652d97073c73
- SHA256
  
  358da4f1aa792a6d5c6ed2d4ff4c1420e6bb0869cb406f2c3db47163313e4d0c
- SHA512
  
  b9816167d3a6fd8171eda2d0b68518c55594e5cf605e4d1a8c38269c1a3852b8ecd9fbd3a79bebd8f8ed57ae11756b0b0ed7385e16ea8ddce8d3e1fc526afffa
- SSDEEP
  
  12582912:7S+F/sJhIJobjj0PzQgvhFdabG5BiV84Il3uuNu+wjEIXXn:fFNeqbeqFE7EIn
Score

10^/10

quasar java agilenet evasion spyware themida trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarjavaagilenetevasionspywarethemidatrojan

© 2018-2025

Terms | Privacy