quasar | b3db27588a80527cb09b85476ed59ce698dc9a4b6b03246160de944ecc5ca79d | Triage

Submit
Reports

Overview

overview

Static

static

1

Uni.bat

windows7-x64

8

Uni.bat

windows10-2004-x64

Sharing

General

Target

Uni.bat
Size

586KB
Sample

240701-t3699ssemk
MD5

3a43120a8dd1e42ff894670710bd8bc4
SHA1

dbb9244231da204517f5d7a0e5ca713b64a3c175
SHA256

b3db27588a80527cb09b85476ed59ce698dc9a4b6b03246160de944ecc5ca79d
SHA512

15931135fd1fec93a3d77e0f28a19ca0780e7de34ab6a4f8174999cf534b4f810ace2bba0db3f2d0d0007199771b16d0c2bc3cdee48ef00a19be4705d3c26026
SSDEEP

12288:qAtzNGPPmXaudwDKHYeRfRJUnYNY+yjOc3zRMh0KYQgrR3dih:3BsXvudwG4eR5yN6c3VS0KZ9

Score

10^/10

quasar seroxen execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Uni.bat

Resource

win7-20240611-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

Uni.bat

Resource

win10v2004-20240611-en

quasar seroxen execution spyware trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

15.5.0

Botnet

SeroXen

C2

147.185.221.20:49485

Mutex

QSR_MUTEX_rzhQPLl57DqbMvbZp9

Attributes

encryption_key
M2nw0PLpJxuyZQLyQ14p
install_name
Client.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  Uni.bat
- Size
  
  586KB
- MD5
  
  3a43120a8dd1e42ff894670710bd8bc4
- SHA1
  
  dbb9244231da204517f5d7a0e5ca713b64a3c175
- SHA256
  
  b3db27588a80527cb09b85476ed59ce698dc9a4b6b03246160de944ecc5ca79d
- SHA512
  
  15931135fd1fec93a3d77e0f28a19ca0780e7de34ab6a4f8174999cf534b4f810ace2bba0db3f2d0d0007199771b16d0c2bc3cdee48ef00a19be4705d3c26026
- SSDEEP
  
  12288:qAtzNGPPmXaudwDKHYeRfRJUnYNY+yjOc3zRMh0KYQgrR3dih:3BsXvudwG4eR5yN6c3VS0KZ9
Score

10^/10

execution quasar seroxen spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarseroxenexecutionspywaretrojan

© 2018-2025

Terms | Privacy