quasar | e40833934923e8135542bd32f4154e88baf072f811ae9363b0be3245569467e8

Analysis

max time kernel
20s
max time network
28s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2025, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

505KB
MD5

2ccdccf6c147006da0230d8fdaea2f84
SHA1

ccdf21a6ceae06747523d3edf9684688fea0d504
SHA256

e40833934923e8135542bd32f4154e88baf072f811ae9363b0be3245569467e8
SHA512

39b81e5eada84f5a8bac52059f0f666100d405c9cd6c840da6c21925c67c10b2c3dbf8d2a40c7cc5a802e4060a10fca34dc32a8d096af79c739544dc7ab5cbbc
SSDEEP

6144:vNyVCNAEl137QnlX5XVbS8DS5zk2zHxqebKh3Sfa4bPkyhFAToV:16lE/7Qnlx48DTUxqqKNSfa4bPkysoV

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Executes dropped EXE 1 IoCs

pid	Process
3164	BuffXresolver.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\BuffXresolver.exe	Client-built.exe
File opened for modification	C:\Program Files\BuffXresolver.exe	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	Client-built.exe
Token: SeDebugPrivilege	3164	BuffXresolver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3164	BuffXresolver.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3164	4248	Client-built.exe	78
PID 4248 wrote to memory of 3164	4248	Client-built.exe	78

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files\BuffXresolver.exe
  "C:\Program Files\BuffXresolver.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\BuffXresolver.exe

Filesize
505KB

MD5
2ccdccf6c147006da0230d8fdaea2f84

SHA1
ccdf21a6ceae06747523d3edf9684688fea0d504

SHA256
e40833934923e8135542bd32f4154e88baf072f811ae9363b0be3245569467e8

SHA512
39b81e5eada84f5a8bac52059f0f666100d405c9cd6c840da6c21925c67c10b2c3dbf8d2a40c7cc5a802e4060a10fca34dc32a8d096af79c739544dc7ab5cbbc

Download Submit
memory/3164-28-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/3164-27-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/3164-26-0x000000001CB50000-0x000000001CB58000-memory.dmp

Filesize
32KB

Download
memory/3164-25-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/3164-23-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/3164-22-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/4248-4-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/4248-18-0x00007FF8ECE25000-0x00007FF8ECE26000-memory.dmp

Filesize
4KB

Download
memory/4248-20-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/4248-21-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/4248-6-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/4248-5-0x000000001BE50000-0x000000001BEB2000-memory.dmp

Filesize
392KB

Download
memory/4248-0-0x00007FF8ECE25000-0x00007FF8ECE26000-memory.dmp

Filesize
4KB

Download
memory/4248-3-0x000000001B2C0000-0x000000001B35C000-memory.dmp

Filesize
624KB

Download
memory/4248-2-0x00007FF8ECB70000-0x00007FF8ED511000-memory.dmp

Filesize
9.6MB

Download
memory/4248-1-0x000000001B870000-0x000000001BD3E000-memory.dmp

Filesize
4.8MB

Download