quasar | 8996eea27038c155ff56b2e92be7890b9563a4f16f3429eefebca9185f0c96bb

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

502KB
MD5

e2deea190fb3295976a3bf18d070233b
SHA1

e056164cfb9eb114f961f19e7181f60003ae0ce5
SHA256

8996eea27038c155ff56b2e92be7890b9563a4f16f3429eefebca9185f0c96bb
SHA512

ff2df89e00e2ecb2b88bb620885ba08e9aed29721e2d22b5c2c64f9736e097e37045dfcef8a80f1518135c5e62725ec02dcbddd492af2ab5a687980a3e2b4362
SSDEEP

6144:RTEgdc0YvXAGbgiIN2RSBUAb4qqpdNHKX6gYcEbOb899VTUjp9NcF95yEcTR3S:RTEgdfYnbgBO1cYrh3y9SFnyEcdS

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

141.11.109.176:1337

Mutex

ca86f6fa-6854-4e21-a291-bafe58087953

Attributes

encryption_key
66AB7C24B21EDAE67341911E0531E758FE651040
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4928-1-0x0000000000970000-0x00000000009F4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	Client-built.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4928	Client-built.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4928	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4928-0-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-1-0x0000000000970000-0x00000000009F4000-memory.dmp

Filesize
528KB

Download
memory/4928-2-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download
memory/4928-3-0x000000001C240000-0x000000001C290000-memory.dmp

Filesize
320KB

Download
memory/4928-4-0x000000001C350000-0x000000001C402000-memory.dmp

Filesize
712KB

Download
memory/4928-5-0x00007FF99A1B0000-0x00007FF99A3A5000-memory.dmp

Filesize
2.0MB

Download