Overview

overview

10

Static

static

10

Quasar.v1.4.1.zip

windows11-21h2-x64

10

Quasar v1....e.html

windows11-21h2-x64

3

Quasar v1....to.dll

windows11-21h2-x64

1

Quasar v1....ok.dll

windows11-21h2-x64

1

Quasar v1....db.dll

windows11-21h2-x64

1

Quasar v1....db.dll

windows11-21h2-x64

1

Quasar v1....ks.dll

windows11-21h2-x64

1

Quasar v1....il.dll

windows11-21h2-x64

1

Quasar v1....at.dll

windows11-21h2-x64

1

Quasar v1....on.dll

windows11-21h2-x64

1

Quasar v1....ar.exe

windows11-21h2-x64

10

Quasar v1....xe.xml

windows11-21h2-x64

1

Quasar v1....ib.dll

windows11-21h2-x64

1

Quasar v1....nt.exe

windows11-21h2-x64

10

Quasar v1....et.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    79s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-12-2024 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar.v1.4.1.zip

  • Size

    3.3MB

  • MD5

    13aa4bf4f5ed1ac503c69470b1ede5c1

  • SHA1

    c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

  • SHA256

    4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

  • SHA512

    767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

  • SSDEEP

    49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Local\Temp\7zOCECD9B68\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCECD9B68\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:248
    • C:\Users\Admin\AppData\Local\Temp\7zOCEC27DA8\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCEC27DA8\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4740
    • C:\Users\Admin\AppData\Local\Temp\7zOCECE54E8\Quasar.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOCECE54E8\Quasar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    ad7a569bafd3a938fe348f531b8ef332

    SHA1

    7fdd2f52d07640047bb62e0f3d3c946ddd85c227

    SHA256

    f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

    SHA512

    b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zOCECD9B68\Quasar.exe
    Filesize

    1.2MB

    MD5

    12ebf922aa80d13f8887e4c8c5e7be83

    SHA1

    7f87a80513e13efd45175e8f2511c2cd17ff51e8

    SHA256

    43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

    SHA512

    fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

    Download Submit

  • memory/248-12-0x00007FF9D6B73000-0x00007FF9D6B75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/248-13-0x0000022A680A0000-0x0000022A681D8000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/248-14-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/248-15-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

    Filesize

    10.8MB

    Download