quasar | 00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3 | Triage

Submit
Reports

Overview

overview

Static

static

Uni.exe

windows10-1703-x64

Uni.exe

windows7-x64

Uni.exe

windows10-2004-x64

Uni.exe

windows11-21h2-x64

Sharing

General

Target

Uni.exe
Size

409KB
Sample

240508-v2b86she88
MD5

7417c8c73e614f293152575f46134216
SHA1

cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA256

00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512

897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
SSDEEP

6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m

Score

10^/10

quasar slave spyware trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Uni.exe

Resource

win10-20240404-en

quasar slave spyware trojan

windows10-1703-x64

15 signatures

1800 seconds

Behavioral task

behavioral2

Sample

Uni.exe

Resource

win7-20240419-en

quasar slave spyware trojan

windows7-x64

9 signatures

1800 seconds

Behavioral task

behavioral3

Sample

Uni.exe

Resource

win10v2004-20240508-en

quasar slave spyware trojan

windows10-2004-x64

17 signatures

1800 seconds

Behavioral task

behavioral4

Sample

Uni.exe

Resource

win11-20240508-en

quasar slave spyware trojan

windows11-21h2-x64

15 signatures

1800 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-dOMA5C0pQTTpKjVsCp

Attributes

encryption_key
UBXs44u6E81wxBGZxQHk
install_name
$sxr-powershell.exe
log_directory
$SXR-KEYLOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Targets

- Target
  
  Uni.exe
- Size
  
  409KB
- MD5
  
  7417c8c73e614f293152575f46134216
- SHA1
  
  cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
- SHA256
  
  00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
- SHA512
  
  897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
- SSDEEP
  
  6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Score

10^/10

quasar slave spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasarslavespywaretrojan

behavioral2

quasarslavespywaretrojan

behavioral3

quasarslavespywaretrojan

behavioral4

quasarslavespywaretrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.