quasar | 8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9 | Triage

Submit
Reports

Overview

overview

Static

static

bannas.exe

windows10-2004-x64

Sharing

General

Target

bannas.exe
Size

348KB
Sample

241214-y6rffatjat
MD5

7500a9269a35b159e854312282732728
SHA1

5b3d03a59af9e662f84fb2ab113e6275a9d502af
SHA256

8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9
SHA512

3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f
SSDEEP

6144:wk+zrEsiN1PDA3COn7bblr71T2fJYUzsgNkd:dxsiNczZsf2UzXkd

Score

10^/10

quasar office04 bootkit defense_evasion discovery persistence spyware trojan

Static task

static1

office04 quasar

3 signatures

Behavioral task

behavioral1

Sample

bannas.exe

Resource

win10v2004-20241007-en

quasar office04 bootkit defense_evasion discovery persistence spyware trojan

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781

Mutex

QSR_MUTEX_86QM62MaEKfEyd8OVt

Attributes

encryption_key
zZvCiezIyCBIqqTBUeKo
install_name
security2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
security2
subdirectory
skibidi

Targets

- Target
  
  bannas.exe
- Size
  
  348KB
- MD5
  
  7500a9269a35b159e854312282732728
- SHA1
  
  5b3d03a59af9e662f84fb2ab113e6275a9d502af
- SHA256
  
  8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9
- SHA512
  
  3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f
- SSDEEP
  
  6144:wk+zrEsiN1PDA3COn7bblr71T2fJYUzsgNkd:dxsiNczZsf2UzXkd
Score

10^/10

quasar office04 bootkit defense_evasion discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Pre-OS Boot

Bootkit

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Pre-OS Boot

Bootkit

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

quasaroffice04bootkitdefense_evasiondiscoverypersistencespywaretrojan

© 2018-2025

Terms | Privacy