quasar | 244aa65cbea1df3f173fc068e3a56944516640d1cd3d3f682cce74f6b2cdd523 | Triage

Submit
Reports

Overview

overview

Static

static

3

atikmdag-p...er.exe

windows7-x64

atikmdag-p...er.exe

windows10-2004-x64

Sharing

General

Target

atikmdag-patcher-1.4.14.zip.7z
Size

3.5MB
Sample

241105-nmb7as1djq
MD5

4e9e157ef0215a85e4efc5b080d09f8b
SHA1

0cffee2444c25c7ca22907e57c4faf22c991fd84
SHA256

244aa65cbea1df3f173fc068e3a56944516640d1cd3d3f682cce74f6b2cdd523
SHA512

31137799e3dee4f5c9ff4442852a933152d50bf2873b0eeca37e9b4d7460e9a04c345f1bd28faa1be5caa77cf3d6e3f6cc10c01d9bdd462d6e183fa778ca2f1b
SSDEEP

49152:kbbixos1zrOZB2FhfgwdIsH4e75wsHt9zY9QmU4vswTxFEox655wNGfE//u2xHsr:zWErSMI+7mxPDkwVlcEok/T8fz3V

Score

10^/10

quasar redline newwwss office discovery infostealer spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

atikmdag-patcher-1.4.14/atikmdag-patcher.exe

Resource

win7-20241010-en

quasar redline newwwss office discovery infostealer spyware trojan

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

atikmdag-patcher-1.4.14/atikmdag-patcher.exe

Resource

win10v2004-20241007-en

quasar redline newwwss office discovery infostealer spyware trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

newwwss

C2

94.156.67.162:26334

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

94.156.67.162:2424

Mutex

u9DoUUYRqSpnC2yFWujhfhjfhjfjhfjjhfjhfjhhfjhf

Attributes

encryption_key
GyLD0XdgIcr57WAXJ73w
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  atikmdag-patcher-1.4.14/atikmdag-patcher.exe
- Size
  
  3.2MB
- MD5
  
  36e0f5e0bba981934ec616510c7bca1c
- SHA1
  
  c8887798854f8a081968ab4d68654cd2c38813d5
- SHA256
  
  fc789c6f5ae68957b419d81717f00714c1708e9025b29b4112045c667c74e138
- SHA512
  
  58975ef79f4ac2ef82e0c7e1034ace9dc0bc8df71708cde7a710ca322ee9486b1c7261d3e49b4861886ced390efcca5fd857fc902013cbdc0ba9bcb2159e9578
- SSDEEP
  
  49152:1dJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQ9333cW7:rJYVM+LtVt3P/KuG2ONG9iqLRQ9333c8
Score

10^/10

quasar redline newwwss office discovery infostealer spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasarredlinenewwwssofficediscoveryinfostealerspywaretrojan

behavioral2

quasarredlinenewwwssofficediscoveryinfostealerspywaretrojan

© 2018-2025

Terms | Privacy