Overview

overview

10

Static

static

10

Quasar.v1.4.1.zip

windows7-x64

1

Quasar.v1.4.1.zip

windows10-2004-x64

10

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....e.html

windows7-x64

3

Quasar v1....e.html

windows10-2004-x64

3

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....to.dll

windows7-x64

1

Quasar v1....to.dll

windows10-2004-x64

1

Quasar v1....ok.dll

windows7-x64

1

Quasar v1....ok.dll

windows10-2004-x64

1

Quasar v1.4.1/LICENSE

windows7-x64

1

Quasar v1.4.1/LICENSE

windows10-2004-x64

1

Quasar v1....db.dll

windows7-x64

1

Quasar v1....db.dll

windows10-2004-x64

1

Quasar v1....db.dll

windows7-x64

1

Quasar v1....db.dll

windows10-2004-x64

1

Quasar v1....ks.dll

windows7-x64

1

Quasar v1....ks.dll

windows10-2004-x64

1

Quasar v1....il.dll

windows7-x64

1

Quasar v1....il.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar.v1.4.1.zip

  • Size

    3.3MB

  • MD5

    13aa4bf4f5ed1ac503c69470b1ede5c1

  • SHA1

    c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

  • SHA256

    4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

  • SHA512

    767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

  • SSDEEP

    49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 35 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\7zO07ACDA18\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07ACDA18\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Users\Admin\AppData\Local\Temp\7zO07A20178\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A20178\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Users\Admin\AppData\Local\Temp\7zO07AD6368\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AD6368\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Users\Admin\AppData\Local\Temp\7zO07A08C68\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A08C68\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3080
    • C:\Users\Admin\AppData\Local\Temp\7zO07AA3B68\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AA3B68\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
    • C:\Users\Admin\AppData\Local\Temp\7zO07A05968\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A05968\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4640
    • C:\Users\Admin\AppData\Local\Temp\7zO07A6E758\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A6E758\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Users\Admin\AppData\Local\Temp\7zO07AC1458\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AC1458\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2380
    • C:\Users\Admin\AppData\Local\Temp\7zO07A15258\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A15258\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:544
    • C:\Users\Admin\AppData\Local\Temp\7zO07A7F058\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A7F058\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5112
    • C:\Users\Admin\AppData\Local\Temp\7zO07AD1158\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AD1158\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2280
    • C:\Users\Admin\AppData\Local\Temp\7zO07A26F58\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A26F58\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Users\Admin\AppData\Local\Temp\7zO07A8FD58\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A8FD58\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
    • C:\Users\Admin\AppData\Local\Temp\7zO07AE1A58\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AE1A58\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:736
    • C:\Users\Admin\AppData\Local\Temp\7zO07AEB958\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AEB958\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Users\Admin\AppData\Local\Temp\7zO07A5C748\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A5C748\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3080
    • C:\Users\Admin\AppData\Local\Temp\7zO07A9DED8\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A9DED8\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Users\Admin\AppData\Local\Temp\7zO07A98CC8\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A98CC8\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4184
    • C:\Users\Admin\AppData\Local\Temp\7zO07AF3DC8\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AF3DC8\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4620
    • C:\Users\Admin\AppData\Local\Temp\7zO07A47BC8\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A47BC8\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Users\Admin\AppData\Local\Temp\7zO07A949C8\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A949C8\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1248
    • C:\Users\Admin\AppData\Local\Temp\7zO07AD4739\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AD4739\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Users\Admin\AppData\Local\Temp\7zO07A3E539\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A3E539\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Users\Admin\AppData\Local\Temp\7zO07A82239\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A82239\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4772
    • C:\Users\Admin\AppData\Local\Temp\7zO07AE4039\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AE4039\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4424
    • C:\Users\Admin\AppData\Local\Temp\7zO07A6BC39\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A6BC39\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Users\Admin\AppData\Local\Temp\7zO07A0C839\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A0C839\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3164
    • C:\Users\Admin\AppData\Local\Temp\7zO07A68429\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A68429\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
    • C:\Users\Admin\AppData\Local\Temp\7zO07A5C329\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A5C329\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:392
    • C:\Users\Admin\AppData\Local\Temp\7zO07A78129\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A78129\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\7zO07AABF29\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AABF29\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4392
    • C:\Users\Admin\AppData\Local\Temp\7zO07AB1D29\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07AB1D29\Quasar.exe"
      2⤵
      • Executes dropped EXE
      PID:1516
    • C:\Users\Admin\AppData\Local\Temp\7zO07A46929\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A46929\Quasar.exe"
      2⤵
      • Executes dropped EXE
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\7zO07A24419\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A24419\Quasar.exe"
      2⤵
      • Executes dropped EXE
      PID:4928
    • C:\Users\Admin\AppData\Local\Temp\7zO07A2D319\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO07A2D319\Quasar.exe"
      2⤵
      • Executes dropped EXE
      PID:5112
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO07A1F269\version.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:4732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO07ACDA18\Quasar.exe
    Filesize

    1.2MB

    MD5

    12ebf922aa80d13f8887e4c8c5e7be83

    SHA1

    7f87a80513e13efd45175e8f2511c2cd17ff51e8

    SHA256

    43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

    SHA512

    fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

    Download Submit

  • memory/5032-12-0x00007FFDF0F23000-0x00007FFDF0F25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5032-13-0x000001D900580000-0x000001D9006B8000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5032-14-0x00007FFDF0F20000-0x00007FFDF19E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-15-0x00007FFDF0F20000-0x00007FFDF19E1000-memory.dmp

    Filesize

    10.8MB

    Download