quasar | 77e51e5ec3bcc9e9d0a1e2a8d4b9077336d3991069194d4e3ab78abebf970412 | Triage

Analysis

max time kernel
10s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 17:52

Sharing

Report Analysis Logs

General

Target

Loli.exe
Size

5.4MB
MD5

e7a95036d4a297046a2e62984d5695b1
SHA1

a89d2ff6519e2dfb649e919d030dbdd2531b40b4
SHA256

77e51e5ec3bcc9e9d0a1e2a8d4b9077336d3991069194d4e3ab78abebf970412
SHA512

0d91a7f1a8d97ce556529c2e358f02f6ad4e47431351bb612b54844be2c4e0a06bb1064a1e0659f41e09b20cc4e58f00bd25a5941610c066dd84051bcdc30861
SSDEEP

49152:8BdFfyrzyIzt+EeGfMcpKnIXDpZEV/+yR/GBs3rDDjJIBB6yCHHB72eh2Nw+Nf:8BfyrzyIzt+EeCXX9uV2xBAH

Score

10^/10

quasar agilenet spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
E2FB9900B23756E2DDF30B24E44B0961BA7B0F9C
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2212-1-0x0000000000910000-0x0000000000E74000-memory.dmp	family_quasar

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Processes:

resource	yara_rule
behavioral2/memory/2212-1-0x0000000000910000-0x0000000000E74000-memory.dmp	agile_net

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Loli.exe

pid process

2212 Loli.exe

C:\Users\Admin\AppData\Local\Temp\Loli.exe
"C:\Users\Admin\AppData\Local\Temp\Loli.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-0-0x00007FFDCDDE3000-0x00007FFDCDDE5000-memory.dmp

Filesize
8KB

Download
memory/2212-1-0x0000000000910000-0x0000000000E74000-memory.dmp

Filesize
5.4MB

Download