quasar | ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb | Triage

Submit
Reports

Overview

overview

Static

static

1

ef894d9401...cb.ps1

windows7-x64

8

ef894d9401...cb.ps1

windows10-2004-x64

Sharing

General

Target

ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb.ps1
Size

2.1MB
Sample

241202-emkzrstpfm
MD5

f98a96a1061e03b2b06ce6092947351b
SHA1

60fb05ecf864e0c716473876b6bb47605dae047c
SHA256

ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb
SHA512

9395ae433da87e28cb6a9d9d16d5d814aa2b39d6d7b568d548c8705f673e001cfd3578e8b729c1c5b7d429049edb6609a502d949627ad28af34ba4065f675220
SSDEEP

6144:DcVzJb1d4aU/hQVBJ2A7Is2Csr1Y5mH9OdHUb3ngoq:O

Score

10^/10

quasar office04 discovery execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb.ps1

Resource

win7-20240903-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb.ps1

Resource

win10v2004-20241007-en

quasar office04 discovery execution spyware trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

ronymahmoud.casacam.net:4782

seznam.hopto.org:4782

Mutex

QSR_MUTEX_mn85pQSh0eqrA3kPek

Attributes

encryption_key
EjggXOgdqRrj8wGQ7mTy
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb.ps1
- Size
  
  2.1MB
- MD5
  
  f98a96a1061e03b2b06ce6092947351b
- SHA1
  
  60fb05ecf864e0c716473876b6bb47605dae047c
- SHA256
  
  ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb
- SHA512
  
  9395ae433da87e28cb6a9d9d16d5d814aa2b39d6d7b568d548c8705f673e001cfd3578e8b729c1c5b7d429049edb6609a502d949627ad28af34ba4065f675220
- SSDEEP
  
  6144:DcVzJb1d4aU/hQVBJ2A7Is2Csr1Y5mH9OdHUb3ngoq:O
Score

10^/10

execution quasar office04 discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasaroffice04discoveryexecutionspywaretrojan

© 2018-2025

Terms | Privacy