quasar | 43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e | Triage

Analysis

max time kernel
31s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 20:18

Sharing

Report Analysis Logs

General

Target

Quasar.exe
Size

1.2MB
MD5

12ebf922aa80d13f8887e4c8c5e7be83
SHA1

7f87a80513e13efd45175e8f2511c2cd17ff51e8
SHA256

43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
SHA512

fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275
SSDEEP

12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3832-1-0x000001A0AD680000-0x000001A0AD7B8000-memory.dmp	family_quasar

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	Quasar.exe

C:\Users\Admin\AppData\Local\Temp\Quasar.exe
"C:\Users\Admin\AppData\Local\Temp\Quasar.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3832-0-0x00007FFE57053000-0x00007FFE57055000-memory.dmp

Filesize
8KB

Download
memory/3832-1-0x000001A0AD680000-0x000001A0AD7B8000-memory.dmp

Filesize
1.2MB

Download
memory/3832-2-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

Filesize
10.8MB

Download
memory/3832-3-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

Filesize
10.8MB

Download