quasar | 57dfe039d38261c96473c338d867ed0c1398d9c7219c5994ff78bea7354235ed

Resubmissions

16/05/2025, 19:09

250516-xt9wksznv6 10

03/05/2024, 22:01

240503-1w6hqaae35 10

Sharing

Copy URL Twitter E-mail

General

Target

57dfe039d38261c96473c338d867ed0c1398d9c7219c5994ff78bea7354235ed
Size

333KB
MD5

a2d36ba345a8b1b1fa3ccfe07953a9c4
SHA1

a2ab98d158670c50b1f037663128dc8b76d8f7b3
SHA256

57dfe039d38261c96473c338d867ed0c1398d9c7219c5994ff78bea7354235ed
SHA512

736c56e629c7a36fab2bebdc20b9e3da146751a01bd811bc57e91ce5c1d7a1d0bc4825fd59f1a3fa84465b98b2355618d5dae353f7408337dc1488943ca5760d
SSDEEP

6144:195rd3fgtO57SxYjvuJnc2XOZ7EUPh9Gzd3QLCbJT8DlQ8BGUr+:f5rdP4OBPuh3QI8xQ8BNr

Score

10^/10

quasar

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
sample	disable_win_def

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables containing commands for clearing Windows Event Logs 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_ClearWinLogs

Detects executables containing common artifacts observed in infostealers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_GENInfoStealer

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
57dfe039d38261c96473c338d867ed0c1398d9c7219c5994ff78bea7354235ed

Files

57dfe039d38261c96473c338d867ed0c1398d9c7219c5994ff78bea7354235ed
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\GO2!\R.A.T. 2020\RAT Source 5 NUCLEAR MINING RAT\Client\obj\x86\Debug\Client.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 330KB - Virtual size: 330KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 330KB - Virtual size: 330KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 330KB - Virtual size: 330KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B