Overview

overview

10

Static

static

10

Quasar.exe

windows7-x64

10

Quasar.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar.exe

  • Size

    1.2MB

  • MD5

    12ebf922aa80d13f8887e4c8c5e7be83

  • SHA1

    7f87a80513e13efd45175e8f2511c2cd17ff51e8

  • SHA256

    43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

  • SHA512

    fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

  • SSDEEP

    12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quasar.exe
    "C:\Users\Admin\AppData\Local\Temp\Quasar.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4004
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1360-16-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-15-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-11-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-12-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-13-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-6-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-14-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-17-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-5-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1360-7-0x000002771BB80000-0x000002771BB81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4004-0-0x00007FFAE2C43000-0x00007FFAE2C45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4004-1-0x0000023299EE0000-0x000002329A018000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4004-4-0x00007FFAE2C40000-0x00007FFAE3701000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4004-3-0x00000232B46B0000-0x00000232B481A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4004-2-0x00007FFAE2C40000-0x00007FFAE3701000-memory.dmp

    Filesize

    10.8MB

    Download