quasar | dd9597fa53774b4c390543d13cd559d0d5223e1d4e3207b4ca5dd90acff8dbbd | Triage

Submit
Reports

Overview

overview

Static

static

1

dd9597fa53...bd.exe

windows7-x64

dd9597fa53...bd.exe

windows10-2004-x64

Sharing

General

Target

dd9597fa53774b4c390543d13cd559d0d5223e1d4e3207b4ca5dd90acff8dbbd.exe
Size

1003KB
Sample

250116-bl4hyatmfy
MD5

3e52270d58f81602e1004c6b4f72098f
SHA1

c9b006dbcee2d2faa333cc1b3b2a4c47419f697d
SHA256

dd9597fa53774b4c390543d13cd559d0d5223e1d4e3207b4ca5dd90acff8dbbd
SHA512

7926b744b212a02a5c90242e58bc6f6ee7864d16c523569e2f8d2577dcbc30ee70fd0712cea00892e1e122991b6f283edb40182bdd106b280f723ed4092606d8
SSDEEP

24576:NGd7ccE0a+UXGSafMOjDs3Cb94oKnCV8LvxXa0qOvOZth:QAcE0a7X2MOTanCV8LdrqcQh

Score

10^/10

quasar office discovery spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

dd9597fa53774b4c390543d13cd559d0d5223e1d4e3207b4ca5dd90acff8dbbd.exe

Resource

win7-20240903-en

windows7-x64

13 signatures

120 seconds

Behavioral task

behavioral2

Sample

dd9597fa53774b4c390543d13cd559d0d5223e1d4e3207b4ca5dd90acff8dbbd.exe

Resource

win10v2004-20241007-en

quasar office discovery spyware trojan

windows10-2004-x64

18 signatures

120 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

85.192.29.60:2222

Mutex

hEFq7q568Cnv4s150F

Attributes

encryption_key
u7RV46VO1ujjhG9W4FhR
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Targets

- Target
  
  dd9597fa53774b4c390543d13cd559d0d5223e1d4e3207b4ca5dd90acff8dbbd.exe
- Size
  
  1003KB
- MD5
  
  3e52270d58f81602e1004c6b4f72098f
- SHA1
  
  c9b006dbcee2d2faa333cc1b3b2a4c47419f697d
- SHA256
  
  dd9597fa53774b4c390543d13cd559d0d5223e1d4e3207b4ca5dd90acff8dbbd
- SHA512
  
  7926b744b212a02a5c90242e58bc6f6ee7864d16c523569e2f8d2577dcbc30ee70fd0712cea00892e1e122991b6f283edb40182bdd106b280f723ed4092606d8
- SSDEEP
  
  24576:NGd7ccE0a+UXGSafMOjDs3Cb94oKnCV8LvxXa0qOvOZth:QAcE0a7X2MOTanCV8LdrqcQh
Score

10^/10

discovery quasar office spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasarofficediscoveryspywaretrojan

© 2018-2025

Terms | Privacy