quasar | d84951f196002ba7b00af849ecb2b29ea9e61b3cee7a0dadb6fd595da3bd60b4 | Triage

Submit
Reports

Overview

overview

Static

static

Update.exe

windows10-2004-x64

Sharing

General

Target

Update.exe
Size

413KB
Sample

241201-yjne9szmfw
MD5

a47bdfa348d4ed9f8203656f8a62499a
SHA1

7247d8dd2f0ee2f17164ceaac818952991dd8899
SHA256

d84951f196002ba7b00af849ecb2b29ea9e61b3cee7a0dadb6fd595da3bd60b4
SHA512

9ae9a0591684c34d3c0e883b8ca7275405c4c22cd80f6505e31aef86dff91ed97419d7a78727620e5a5b4d7e40f9e3fee4a2f85fc29c607d258108c9bb3c209c
SSDEEP

6144:qNmEjkzQT1TVNe6AsBq61H+crK8mlbb/z3WdYfBJcxsq3GM:u1TVVwK1H+QPmxWKfBJcxsSGM

Score

10^/10

quasar office04 discovery execution spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

Update.exe

Resource

win10v2004-20241007-en

quasar office04 discovery execution spyware trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

C2

me-intranet.gl.at.ply.gg:13055

Mutex

$Sxr-plkPjnJnOsZ1prJqWh

Attributes

encryption_key
sF4pQelXUnjCz70tuoBe
install_name
COM Surrogate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
COM Surrogate
subdirectory
Windows

Targets

- Target
  
  Update.exe
- Size
  
  413KB
- MD5
  
  a47bdfa348d4ed9f8203656f8a62499a
- SHA1
  
  7247d8dd2f0ee2f17164ceaac818952991dd8899
- SHA256
  
  d84951f196002ba7b00af849ecb2b29ea9e61b3cee7a0dadb6fd595da3bd60b4
- SHA512
  
  9ae9a0591684c34d3c0e883b8ca7275405c4c22cd80f6505e31aef86dff91ed97419d7a78727620e5a5b4d7e40f9e3fee4a2f85fc29c607d258108c9bb3c209c
- SSDEEP
  
  6144:qNmEjkzQT1TVNe6AsBq61H+crK8mlbb/z3WdYfBJcxsq3GM:u1TVVwK1H+QPmxWKfBJcxsSGM
Score

10^/10

quasar office04 discovery execution spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04discoveryexecutionspywaretrojan

© 2018-2025

Terms | Privacy