quasar | 69e99e962f784f1d4ac17447a74741ff7da3efe70522df9a7bc070b431e4bec0 | Triage

Submit
Reports

Overview

overview

Static

static

1

69e99e962f...c0.bat

windows7-x64

8

69e99e962f...c0.bat

windows10-2004-x64

Sharing

General

Target

69e99e962f784f1d4ac17447a74741ff7da3efe70522df9a7bc070b431e4bec0.bat
Size

3.5MB
Sample

250128-g6eyzazmht
MD5

baea34214aa1a2aa90de5d0b3d841882
SHA1

5206d25733b9fcf0c4b52fb3002b8f5def87699d
SHA256

69e99e962f784f1d4ac17447a74741ff7da3efe70522df9a7bc070b431e4bec0
SHA512

7e906e15de93a06eb763d069ea07ca763e4e0fe0d8cb3a804aded05ac5063d65ef09fa2d130abce268d1c3fcee96b28701f6d1b9a612bd1b1dbcd0f0b53a5d3d
SSDEEP

49152:a066fNaUEnvOthWSIdX+H3bjAq+hbPVjS:n

Score

10^/10

quasar discovery execution spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

69e99e962f784f1d4ac17447a74741ff7da3efe70522df9a7bc070b431e4bec0.bat

Resource

win7-20241023-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

69e99e962f784f1d4ac17447a74741ff7da3efe70522df9a7bc070b431e4bec0.bat

Resource

win10v2004-20241007-en

quasar discovery execution spyware trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Targets

- Target
  
  69e99e962f784f1d4ac17447a74741ff7da3efe70522df9a7bc070b431e4bec0.bat
- Size
  
  3.5MB
- MD5
  
  baea34214aa1a2aa90de5d0b3d841882
- SHA1
  
  5206d25733b9fcf0c4b52fb3002b8f5def87699d
- SHA256
  
  69e99e962f784f1d4ac17447a74741ff7da3efe70522df9a7bc070b431e4bec0
- SHA512
  
  7e906e15de93a06eb763d069ea07ca763e4e0fe0d8cb3a804aded05ac5063d65ef09fa2d130abce268d1c3fcee96b28701f6d1b9a612bd1b1dbcd0f0b53a5d3d
- SSDEEP
  
  49152:a066fNaUEnvOthWSIdX+H3bjAq+hbPVjS:n
Score

10^/10

execution quasar discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

quasardiscoveryexecutionspywaretrojan

© 2018-2025

Terms | Privacy