quasar | 69d3f18cd40fe951e863d6f7cb34f623ae1f169a030c166efd713630744b14da | Triage

Submit
Reports

Overview

overview

Static

static

1

Client-built.bat

windows10-1703-x64

Client-built.bat

windows10-2004-x64

Client-built.bat

windows11-21h2-x64

Sharing

General

Target

Client-built.bat
Size

1.9MB
Sample

240512-shxpnabf6z
MD5

ca98faeecf7f69f417e6b8e706986b2e
SHA1

2ed0d04b476658f57e50b86dba53cdc0edb379e8
SHA256

69d3f18cd40fe951e863d6f7cb34f623ae1f169a030c166efd713630744b14da
SHA512

ad3a6e51492f68bf623b08d01d8d9cc9bc58a6496e04c734ddacd2be120987f56ff228bf24f92a67aff408d801a670cfbb83564907219523776b7a8263b41d64
SSDEEP

24576:DqPPl9YNqSrDNfqgg4edWKa1tpD0jH3F8DbFkBNKUXuiFgZULkB4VmVc0i6MwGxb:W1cqzx/WOrBSkQJ8b

Score

10^/10

quasar new execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Client-built.bat

Resource

win10-20240404-en

quasar new execution spyware trojan

windows10-1703-x64

14 signatures

300 seconds

Behavioral task

behavioral2

Sample

Client-built.bat

Resource

win10v2004-20240508-en

quasar new execution spyware trojan

windows10-2004-x64

15 signatures

300 seconds

Behavioral task

behavioral3

Sample

Client-built.bat

Resource

win11-20240426-en

quasar new execution spyware trojan

windows11-21h2-x64

13 signatures

300 seconds

Malware Config

Extracted

Family

quasar

Version

1.0.0

Botnet

New

C2

even-lemon.gl.at.ply.gg:33587

Mutex

2bce5514-d527-4787-825c-3042f9dd5ede

Attributes

encryption_key
501DB7A849356BF2C272A70D53FAF39F17D4245C
install_name
WinHost32.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
Powershell
subdirectory
System32

Targets

- Target
  
  Client-built.bat
- Size
  
  1.9MB
- MD5
  
  ca98faeecf7f69f417e6b8e706986b2e
- SHA1
  
  2ed0d04b476658f57e50b86dba53cdc0edb379e8
- SHA256
  
  69d3f18cd40fe951e863d6f7cb34f623ae1f169a030c166efd713630744b14da
- SHA512
  
  ad3a6e51492f68bf623b08d01d8d9cc9bc58a6496e04c734ddacd2be120987f56ff228bf24f92a67aff408d801a670cfbb83564907219523776b7a8263b41d64
- SSDEEP
  
  24576:DqPPl9YNqSrDNfqgg4edWKa1tpD0jH3F8DbFkBNKUXuiFgZULkB4VmVc0i6MwGxb:W1cqzx/WOrBSkQJ8b
Score

10^/10

quasar new execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarnewexecutionspywaretrojan

behavioral2

quasarnewexecutionspywaretrojan

behavioral3

quasarnewexecutionspywaretrojan

© 2018-2024

Terms | Privacy