quasar | 31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

CzSOSINT.exe

windows7-x64

CzSOSINT.exe

windows10-2004-x64

Sharing

General

Target

CzSOSINT.exe
Size

297KB
Sample

240425-2lbq2aga66
MD5

311c6835775d900f12ece1d138aee2a6
SHA1

95ea06961562ddfa77f645be03f95d08d1cdb2e0
SHA256

31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
SHA512

19cc40219e209fc878ea2beb5cb81917cd3bf43684d9c1d42643581c38b5db393ae8c2362d167521002e466a80fe24b08163aefda5aa7d266b4731f5c985d500
SSDEEP

6144:9eQCIpHePBK7UOYz1mhJCtWY9XcNfPHDpu74NpgtcZRg/+wPO:0ae5mYzcLC0YuF8kHX/g/

Score

10^/10

quasar rslavereel spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

CzSOSINT.exe

Resource

win7-20240215-en

quasar rslavereel spyware trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

CzSOSINT.exe

Resource

win10v2004-20240226-en

quasar rslavereel spyware trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

RSlaveReel

C2

147.185.221.19:33587

Mutex

$Sxr-PODin6zbdvLuVkqKla

Attributes

encryption_key
myaDwGp04jmlN7Zrz509
install_name
WindowsDllRunHost.exe
log_directory
Update Logs
reconnect_delay
3000
startup_key
WindowsBIOSUpdx64
subdirectory
orbitpaid

Targets

- Target
  
  CzSOSINT.exe
- Size
  
  297KB
- MD5
  
  311c6835775d900f12ece1d138aee2a6
- SHA1
  
  95ea06961562ddfa77f645be03f95d08d1cdb2e0
- SHA256
  
  31f0e68a0fb8a6e1714ade7379d486d56aa1421d2f22ff3d632c1fe24f59457a
- SHA512
  
  19cc40219e209fc878ea2beb5cb81917cd3bf43684d9c1d42643581c38b5db393ae8c2362d167521002e466a80fe24b08163aefda5aa7d266b4731f5c985d500
- SSDEEP
  
  6144:9eQCIpHePBK7UOYz1mhJCtWY9XcNfPHDpu74NpgtcZRg/+wPO:0ae5mYzcLC0YuF8kHX/g/
Score

10^/10

quasar rslavereel spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarrslavereelspywaretrojan

behavioral2

quasarrslavereelspywaretrojan

© 2018-2025

Terms | Privacy