quasar | 027ff65365c4f69731be566e541127a63d993d26f68738a462ec63b667226990 | Triage

Sharing

General

Target

2026.vbs
Size

275KB
Sample

250130-k1vn1symfq
MD5

3036e9c4718042d10f79bfff33890123
SHA1

506e3824f97a346ebfac946aaf19b13defa80cac
SHA256

027ff65365c4f69731be566e541127a63d993d26f68738a462ec63b667226990
SHA512

6cc407e53f5057a3469dc4cd62586cfa740339adcde218ef54446e9af75165aa08bbc088ec9f02015334c4f9abd4e3d69db4eb2ced0c66e8f8e3e1b1f4e70ebc
SSDEEP

3072:S9bhZuU+jd2EOHov4nc8b5tBuyAUvmSWBQ0MY5abVt+/710ROsvTkRoaDSyav3DW:CbhAZd2EOdTN7vrV0M2abV4jaTbwDEC

Score

10^/10

quasar discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Targets

- Target
  
  2026.vbs
- Size
  
  275KB
- MD5
  
  3036e9c4718042d10f79bfff33890123
- SHA1
  
  506e3824f97a346ebfac946aaf19b13defa80cac
- SHA256
  
  027ff65365c4f69731be566e541127a63d993d26f68738a462ec63b667226990
- SHA512
  
  6cc407e53f5057a3469dc4cd62586cfa740339adcde218ef54446e9af75165aa08bbc088ec9f02015334c4f9abd4e3d69db4eb2ced0c66e8f8e3e1b1f4e70ebc
- SSDEEP
  
  3072:S9bhZuU+jd2EOHov4nc8b5tBuyAUvmSWBQ0MY5abVt+/710ROsvTkRoaDSyav3DW:CbhAZd2EOdTN7vrV0M2abV4jaTbwDEC
Score

10^/10

discovery execution quasar persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

quasardiscoveryexecutionpersistencespywaretrojan