quasar | 4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

5c59b700c7...18.exe

windows7-x64

5c59b700c7...18.exe

windows10-2004-x64

Sharing

General

Target

5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118
Size

866KB
Sample

240719-rw9qpswbrj
MD5

5c59b700c7a1b43a2b8abfe9be0114d6
SHA1

38466b8599e1776fd34bc89462dd9d7842165698
SHA256

4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95
SHA512

9284e40b93b9906c956dccd32cb5f00acef958ff889386dad95da53104bce926160aee8511058c9732d7d86728e8d4a23d96fcb0da7b781c25f85df5a7a1eced
SSDEEP

12288:tRZ+IoG/n9IQxW3OBse97Ium28XSeMIbI/+hl08NsZVsbbcd5e4JRRoEYmPxtovb:l2G/nvxW3WdZQ+Tm4W6HuERbum01t

Score

10^/10

quasar emv spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe

Resource

win7-20240704-en

quasar emv spyware trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118.exe

Resource

win10v2004-20240709-en

quasar emv spyware trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EMV

C2

manoftheyear-58512.portmap.io:58512

Mutex

QSR_MUTEX_OiWYJuvLVGz4wDjmfv

Attributes

encryption_key
0oQZGEIAu1YEgqvO30Bu
install_name
javaupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
javaupdater
subdirectory
SubDir

Targets

- Target
  
  5c59b700c7a1b43a2b8abfe9be0114d6_JaffaCakes118
- Size
  
  866KB
- MD5
  
  5c59b700c7a1b43a2b8abfe9be0114d6
- SHA1
  
  38466b8599e1776fd34bc89462dd9d7842165698
- SHA256
  
  4be89ac76b9b5d45730a1c7fd1c23b9270c7e3f11e997608f13fe4ca7236bb95
- SHA512
  
  9284e40b93b9906c956dccd32cb5f00acef958ff889386dad95da53104bce926160aee8511058c9732d7d86728e8d4a23d96fcb0da7b781c25f85df5a7a1eced
- SSDEEP
  
  12288:tRZ+IoG/n9IQxW3OBse97Ium28XSeMIbI/+hl08NsZVsbbcd5e4JRRoEYmPxtovb:l2G/nvxW3WdZQ+Tm4W6HuERbum01t
Score

10^/10

quasar emv spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaremvspywaretrojan

behavioral2

quasaremvspywaretrojan

© 2018-2025

Terms | Privacy