Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Quasar.v1.4.1.zip

windows7-x64

10

Quasar.v1.4.1.zip

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....e.html

windows7-x64

3

Quasar v1....e.html

windows10-2004-x64

3

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....se.txt

windows7-x64

1

Quasar v1....se.txt

windows10-2004-x64

1

Quasar v1....to.dll

windows7-x64

1

Quasar v1....to.dll

windows10-2004-x64

1

Quasar v1....ok.dll

windows7-x64

1

Quasar v1....ok.dll

windows10-2004-x64

1

Quasar v1.4.1/LICENSE

windows7-x64

1

Quasar v1.4.1/LICENSE

windows10-2004-x64

1

Quasar v1....db.dll

windows7-x64

1

Quasar v1....db.dll

windows10-2004-x64

1

Quasar v1....db.dll

windows7-x64

1

Quasar v1....db.dll

windows10-2004-x64

1

Quasar v1....ks.dll

windows7-x64

1

Quasar v1....ks.dll

windows10-2004-x64

1

Quasar v1....il.dll

windows7-x64

1

Quasar v1....il.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar.v1.4.1.zip

  • Size

    3.3MB

  • MD5

    13aa4bf4f5ed1ac503c69470b1ede5c1

  • SHA1

    c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

  • SHA256

    4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

  • SHA512

    767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

  • SSDEEP

    49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

127.0.0.1:4782

Mutex

460b3828-f738-4758-8b90-b34d6c48afd6

Attributes
  • encryption_key

    F122C497DF9EAA3340EC892D5AED1D6340233BC4

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 11 IoCs
  • Executes dropped EXE 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2316
  • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
    "C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"
      2⤵
        PID:2336
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      PID:2728
    • C:\Users\Admin\Desktop\Client-built.exe
      "C:\Users\Admin\Desktop\Client-built.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2144
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2132
    • C:\Users\Admin\Desktop\Client-built.exe
      "C:\Users\Admin\Desktop\Client-built.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Users\Admin\Desktop\Client-built.exe
      "C:\Users\Admin\Desktop\Client-built.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2039016743-699959520-214465309-1000\a2dd33506bcf8715202318f787070c1d_d58f30ce-7498-4544-8c46-d67b11e386bc
      Filesize

      3KB

      MD5

      74a1322ea7cea3d06973e8f9fd9ed4a4

      SHA1

      7ffdf995fe9bd6ea55e2ecf1d87537a340e030fb

      SHA256

      b83a4041e8b70cca6b064f754ef49fd68a97b168ac14455f60bd98bb6f21f7b4

      SHA512

      19551177b48e244080ec3bb3054bdfb6f8f211e4b3cddc1b2a82fa0c9ddd6623b7fd5031388390fd9637fcb2ab0f4c3a625a34092e382fc37274192bad9937bf

      Download Submit

    • C:\Users\Admin\Desktop\Client-built.exe
      Filesize

      3.1MB

      MD5

      46a077251d4976ce992b7c0bb99c5dae

      SHA1

      362d83ab3ba133882d1a949154c3abd7a3992db2

      SHA256

      4cc336f4ad9b50f48c7c761473e2dfe15a5cc138bba0b886afb56f1ffa59c1f5

      SHA512

      d8b10d1c5e8606166cd19a1979c367db1700a3b76091216eb658342639571992db373e1dc57bde3d0685fe65aea96dd8bccb25d8f2d420bec86058d2f75f67b1

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\BouncyCastle.Crypto.dll
      Filesize

      3.2MB

      MD5

      0cf454b6ed4d9e46bc40306421e4b800

      SHA1

      9611aa929d35cbd86b87e40b628f60d5177d2411

      SHA256

      e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

      SHA512

      85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe
      Filesize

      3.1MB

      MD5

      df7598e580cad506f7dc5577c5bd18a3

      SHA1

      259f88d8ae65015e5f0ad7d751eb0365f7e91c4c

      SHA256

      482a29e67a1c2afb1792d18a7045f8d805fa99fd06ae4584bac969cfc24aa00e

      SHA512

      11eadec82fc5d6dae8b6094fcbbc3b77859aeb5171711df845ffb4ab547cd3a29415f1d5052eea619cf7401c9c3bc2effb9d9a46e86ca70021b0d14f292472eb

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Gma.System.MouseKeyHook.dll
      Filesize

      56KB

      MD5

      bfb3bd1cb571360435100bfa6ed2b997

      SHA1

      1325e8dd76180a165117e04da4ee4a020e996880

      SHA256

      a67a424013544c8270c12633e2e1e287cd5cf0b3f2e81e8d8204b37a03da59ef

      SHA512

      ae5a88a9e86b9e64b8c289213f814586dfa5fe5e0cc21bdbc3e48c36d81fa9e763c6e78f24e40df07696228270ad72f408846125e61e33cae867ef8ff88a3c15

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\LICENSE
      Filesize

      1KB

      MD5

      2656bf9fcaf47fa043715bbd3b2f5134

      SHA1

      5832164b16008d7396501f857f9f5f8799fd179c

      SHA256

      49a25b5003ae74dc02141ba8cd29e1515baf4a2bf8d783019cc2148e07688b9b

      SHA512

      4d8ca0fc4a8aca853925df5d93eeed1e7c232e1e3816fe096cf153bc6ff802258b7d7c58cbaab4817c3eb4acc7f888b0c622400783fdd3140c7fd954a40c095d

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.Mdb.dll
      Filesize

      42KB

      MD5

      1c6aca0f1b1fa1661fc1e43c79334f7c

      SHA1

      ec0f591a6d12e1ea7dc8714ec7e5ad7a04ef455d

      SHA256

      411f8ed8c49738fa38a56ed8f991d556227d13602e83186e66ae1c4f821c940b

      SHA512

      1c59e939d108f15881d29fe4ced4e5fa4a4476394b58b6eb464da77192cb8fe9221b7cd780af4596914d4cce7c3fc53f1bb567f944c58829de8efbe1fd87be76

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.Pdb.dll
      Filesize

      87KB

      MD5

      6d5eb860c2be5dbeb470e7d3f3e7dda4

      SHA1

      80c76660b87c52127b1a7da48e27700f75362041

      SHA256

      447ede1984bb4acd73bd97c0ec57a11c079cee8301c91fb199ca98c1906d3cc4

      SHA512

      64cf4fe7de68a35720d2b9338ba9cf182e127d95d72d2ccf7ff5c73a368133663e70c988a460825fa87b2d03717a4447948d5262f56aceb7c3bf1cb3ab5a41a5

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.Rocks.dll
      Filesize

      27KB

      MD5

      6e7f0f4fff6c49e3f66127c23b7f1a53

      SHA1

      14a529f8c7ee9f002d1e93dcf8ff158ab74c7e1a

      SHA256

      2e2623319bdc362974a78ea4a43f4893011ec257884d24267f4594142fcd436e

      SHA512

      0c773da6717dd6919cd6241d3cee26ab00bb61ea2dbeff24844a067af4c87ff5cbdb2fe3ada5db4707cee921b3fb353bd12ee22b8490597d4f67ad39bace235e

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Mono.Cecil.dll
      Filesize

      350KB

      MD5

      de69bb29d6a9dfb615a90df3580d63b1

      SHA1

      74446b4dcc146ce61e5216bf7efac186adf7849b

      SHA256

      f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

      SHA512

      6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Open.Nat.dll
      Filesize

      68KB

      MD5

      cc6f6503d29a99f37b73bfd881de8ae0

      SHA1

      92d3334898dbb718408f1f134fe2914ef666ce46

      SHA256

      0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5

      SHA512

      7f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml
      Filesize

      1018B

      MD5

      53533846da6fb0114f65ea865f50fac5

      SHA1

      4d502fe2d04b6b5970d9f0a0540c35c9e75eba95

      SHA256

      941970a02c9d91c77d70e1f3d16ebdb18d292735e0715d2bbcbcd07019bbe9c4

      SHA512

      12e133c1291072157ed5cea5e8646a84f831e009eb4dc4e0842ac2b963aaca04d4ac52ade10a9650d4a03ad94a999da6529437a9017424b15e784b543760ba63

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml
      Filesize

      199B

      MD5

      49b95159190c0bf5e00d01d1fd371513

      SHA1

      ffc6d33cb2294a35fc1c4d6aac25e3b66151e52c

      SHA256

      5becabb6ceb694417fba7e6e62bdaa62c5dbc37ccea0d718313365b6f0a73db2

      SHA512

      7c1a75c4612271fc789ab64b615bb5016598f93cd61633143c71b0576a1bd1be2b0c5b335a8eb1138b0ff41ef6b983efdbbe1af8bd0055289b8c399ef66ec6b7

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.Common.dll
      Filesize

      62KB

      MD5

      2185564051ea2e046d9f711ed3cd93ff

      SHA1

      2f2d7fd470da6d126582ad80df2802aabd6c9cea

      SHA256

      de930a748e4dc08c851ba0a22afce8dcfd0f15f23b291f9306c8ef6ccd7460a2

      SHA512

      00af241c1f89b478e66d758db26ed0a413b690d695abf91211b5cbc3985133632327ea0fc41140bd61d02271b6aa278a8e8f539d8ca6ce94972aef50c1a9c868

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
      Filesize

      1.2MB

      MD5

      12ebf922aa80d13f8887e4c8c5e7be83

      SHA1

      7f87a80513e13efd45175e8f2511c2cd17ff51e8

      SHA256

      43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

      SHA512

      fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe.config
      Filesize

      176B

      MD5

      c8cd50e8472b71736e6543f5176a0c12

      SHA1

      0bd6549820de5a07ac034777b3de60021121405e

      SHA256

      b44739eeff82db2b575a45b668893e2fe8fdd24a709cbf0554732fd3520b2190

      SHA512

      6e8f77fcca5968788cc9f73c9543ce9ab7b416372bc681093aa8a3aad43af1f06c56fcbc296c7897a3654b86a6f9d0e8b0fe036677cf290957924377bc177d9f

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\Vestris.ResourceLib.dll
      Filesize

      76KB

      MD5

      944ce5123c94c66a50376e7b37e3a6a6

      SHA1

      a1936ac79c987a5ba47ca3d023f740401f73529b

      SHA256

      7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a

      SHA512

      4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\client.bin
      Filesize

      3.1MB

      MD5

      f4d16cfe4cad388255e43f258329f805

      SHA1

      fe7cc6c9eb76b5ad97867b46d053fae601fd4a2d

      SHA256

      8fb6ae3496d4ac025eab443d3e322b0faa3461d25b54093c9205d35746e3250e

      SHA512

      867045eac0f7765e6bea51e62bc4ed68b1e81ce6c2843d2e08714eb391a8ac94c2571c09828286252248400ea5c12bffa50a25c8ec5ad9e6d0bb836320ec188f

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\protobuf-net.dll
      Filesize

      282KB

      MD5

      abc82ae4f579a0bbfa2a93db1486eb38

      SHA1

      faa645b92e3de7037c23e99dd2101ef3da5756e5

      SHA256

      ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6

      SHA512

      e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3

      Download Submit

    • C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12
      Filesize

      4KB

      MD5

      987ef5e5c2499bd1dc48bb7bc6ec162d

      SHA1

      e055ee684e1bacd728880eb7c6d5adeac7bae7b9

      SHA256

      32c8bf9e819d9a818e1e6019a3ff36f9e0f1822ab6f163fda16e385e1fef7959

      SHA512

      4dcbb972b2f2ac70c89732ff86054810617fd5688e8e579d21bc821fbdc03bdf33c448b1d60131ee7086547cc25552a84630318b22c834400ea94f95e86f18e7

      Download Submit

    • memory/1036-185-0x0000000000FC0000-0x00000000012E4000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1584-192-0x0000000000360000-0x0000000000684000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1924-81-0x000000001EED0000-0x000000001EEEA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1924-49-0x0000000000500000-0x0000000000516000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1924-51-0x000000001F210000-0x000000001F53E000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1924-47-0x00000000012C0000-0x00000000013F8000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1924-70-0x000000001C830000-0x000000001C848000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1924-72-0x000000001CA10000-0x000000001CA5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1924-79-0x0000000021C30000-0x0000000021C8E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/2728-73-0x0000000003D10000-0x0000000003D20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-194-0x0000000000310000-0x0000000000634000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2892-196-0x0000000000D40000-0x0000000001064000-memory.dmp

      Filesize

      3.1MB

      Download