quasar | 938d4730b36fc5dcc85411fc9d79a975e3d2fa11e3fff11031aacb9d4c2d0cad | Triage

Submit
Reports

Overview

overview

Static

static

Update.exe

windows10-2004-x64

Update.exe

windows11-21h2-x64

Sharing

General

Target

Update.exe
Size

413KB
Sample

240707-xez3tswgpp
MD5

0f9c37ef7f6df23a9d6b193a9cd7db23
SHA1

e60f7db025a6ed54487e981b62ccfadcb4f6f9fa
SHA256

938d4730b36fc5dcc85411fc9d79a975e3d2fa11e3fff11031aacb9d4c2d0cad
SHA512

9d8475066a80583ec0f5b7e4ddad47afd39e0a90d03aa86f91a391338835d1c51b46e12c3e697569156885bc0eb42c357fff1153711c01d8c80f94202735b9f4
SSDEEP

6144:zhmEjkzQT1TVNG3DPccsyWVgbR4D6kZ4Zc19Rv1F/j15xYwSmQKq0T9Gk:l1TVVGQcsyZ49/99x5qwS9KBGk

Score

10^/10

quasar office04 execution spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

Update.exe

Resource

win10v2004-20240704-en

quasar office04 execution spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Update.exe

Resource

win11-20240508-en

quasar office04 execution spyware trojan

windows11-21h2-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

C2

wireless-boston.gl.at.ply.gg:8801

Mutex

$Sxr-a4FI5KvPJWMj2Jorq9

Attributes

encryption_key
5aGU2flwVjXcdG7DyCX7
install_name
systemlogs.exe
log_directory
Logs
reconnect_delay
3000
startup_key
systemlogs
subdirectory
SubDir

Targets

- Target
  
  Update.exe
- Size
  
  413KB
- MD5
  
  0f9c37ef7f6df23a9d6b193a9cd7db23
- SHA1
  
  e60f7db025a6ed54487e981b62ccfadcb4f6f9fa
- SHA256
  
  938d4730b36fc5dcc85411fc9d79a975e3d2fa11e3fff11031aacb9d4c2d0cad
- SHA512
  
  9d8475066a80583ec0f5b7e4ddad47afd39e0a90d03aa86f91a391338835d1c51b46e12c3e697569156885bc0eb42c357fff1153711c01d8c80f94202735b9f4
- SSDEEP
  
  6144:zhmEjkzQT1TVNG3DPccsyWVgbR4D6kZ4Zc19Rv1F/j15xYwSmQKq0T9Gk:l1TVVGQcsyZ49/99x5qwS9KBGk
Score

10^/10

quasar office04 execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04executionspywaretrojan

behavioral2

quasaroffice04executionspywaretrojan

© 2018-2025

Terms | Privacy