quasar | 43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e | Triage

Analysis

max time kernel
839s
max time network
841s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 20:18

Sharing

Report Analysis Logs

General

Target

Quasar.exe
Size

1.2MB
MD5

12ebf922aa80d13f8887e4c8c5e7be83
SHA1

7f87a80513e13efd45175e8f2511c2cd17ff51e8
SHA256

43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
SHA512

fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275
SSDEEP

12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2332-1-0x0000000000AF0000-0x0000000000C28000-memory.dmp	family_quasar

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	Quasar.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2148	2332	Quasar.exe	30
PID 2332 wrote to memory of 2148	2332	Quasar.exe	30
PID 2332 wrote to memory of 2148	2332	Quasar.exe	30

C:\Users\Admin\AppData\Local\Temp\Quasar.exe
"C:\Users\Admin\AppData\Local\Temp\Quasar.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2332 -s 580
  2⤵
  PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x0000000000AF0000-0x0000000000C28000-memory.dmp

Filesize
1.2MB

Download
memory/2332-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-3-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download